WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
PUBLISHED5.2CWE-863
WeKan < 8.19 Read-only Board Roles Can Update Cards
Problem type
Affected products
WeKan
WeKan
< 8.19 - AFFECTED
References
github.com
https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285
wekan.fi
https://wekan.fi/
vulncheck.com
https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards
GitHub Security Advisories
GHSA-7c8j-xhpq-ww8c
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API...
https://github.com/advisories/GHSA-7c8j-xhpq-ww8cWeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25565
github.com
https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285
wekan.fi
https://wekan.fi
vulncheck.com
https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards
github.com
https://github.com/advisories/GHSA-7c8j-xhpq-ww8c
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25565Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25565",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:58:13.152Z",
"dateReserved": "2026-02-02T20:12:33.396Z",
"datePublished": "2026-02-07T21:58:13.152Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:58:13.152Z"
},
"title": "WeKan < 8.19 Read-only Board Roles Can Update Cards",
"descriptions": [
{
"lang": "en",
"value": "WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access."
}
]
}
],
"affected": [
{
"vendor": "WeKan",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.19"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-863 Incorrect Authorization",
"cweId": "CWE-863",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285",
"tags": [
"patch"
]
},
{
"url": "https://wekan.fi/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joshua Rogers",
"type": "finder"
}
]
}
}
}