WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
PUBLISHED5.2CWE-639
WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation
Problem type
Affected products
WeKan
WeKan
< 8.19 - AFFECTED
References
github.com
https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac
wekan.fi
https://wekan.fi/
vulncheck.com
https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation
GitHub Security Advisories
GHSA-xc4h-36v7-xrrw
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist...
https://github.com/advisories/GHSA-xc4h-36v7-xrrwWeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25564
github.com
https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac
wekan.fi
https://wekan.fi
vulncheck.com
https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation
github.com
https://github.com/advisories/GHSA-xc4h-36v7-xrrw
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25564Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25564",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:51.408Z",
"dateReserved": "2026-02-02T20:12:33.396Z",
"datePublished": "2026-02-07T21:57:51.408Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:51.408Z"
},
"title": "WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation",
"descriptions": [
{
"lang": "en",
"value": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers."
}
]
}
],
"affected": [
{
"vendor": "WeKan",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.19"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"cweId": "CWE-639",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac",
"tags": [
"patch"
]
},
{
"url": "https://wekan.fi/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joshua Rogers",
"type": "finder"
}
]
}
}
}