WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
PUBLISHED5.2CWE-863
WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass
Problem type
Affected products
WeKan
WeKan
< 8.19 - AFFECTED
References
github.com
https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8
wekan.fi
https://wekan.fi/
vulncheck.com
https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass
GitHub Security Advisories
GHSA-mxjf-259r-3r76
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance...
https://github.com/advisories/GHSA-mxjf-259r-3r76WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25568
github.com
https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8
wekan.fi
https://wekan.fi
vulncheck.com
https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass
github.com
https://github.com/advisories/GHSA-mxjf-259r-3r76
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25568Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25568",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:59:13.959Z",
"dateReserved": "2026-02-02T20:12:33.397Z",
"datePublished": "2026-02-07T21:59:13.959Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:59:13.959Z"
},
"title": "WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass",
"descriptions": [
{
"lang": "en",
"value": "WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement."
}
]
}
],
"affected": [
{
"vendor": "WeKan",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.19"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-863 Incorrect Authorization",
"cweId": "CWE-863",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8",
"tags": [
"patch"
]
},
{
"url": "https://wekan.fi/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joshua Rogers",
"type": "finder"
}
]
}
}
}