WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
PUBLISHED5.2CWE-639
WeKan < 8.19 Checklist Creation Cross-Board IDOR
Problem type
Affected products
WeKan
WeKan
< 8.19 - AFFECTED
References
github.com
https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14
wekan.fi
https://wekan.fi/
vulncheck.com
https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor
GitHub Security Advisories
GHSA-x9cj-242h-gr3m
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist...
https://github.com/advisories/GHSA-x9cj-242h-gr3mWeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25563
github.com
https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14
wekan.fi
https://wekan.fi
vulncheck.com
https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor
github.com
https://github.com/advisories/GHSA-x9cj-242h-gr3m
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25563Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25563",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:32.181Z",
"dateReserved": "2026-02-02T20:12:33.396Z",
"datePublished": "2026-02-07T21:57:32.181Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:32.181Z"
},
"title": "WeKan < 8.19 Checklist Creation Cross-Board IDOR",
"descriptions": [
{
"lang": "en",
"value": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers."
}
]
}
],
"affected": [
{
"vendor": "WeKan",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.19"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"cweId": "CWE-639",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14",
"tags": [
"patch"
]
},
{
"url": "https://wekan.fi/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joshua Rogers",
"type": "finder"
}
]
}
}
}