CVE-2026-25565

WeKan < 8.19 Read-only Board Roles Can Update Cards

CVSS 7.1 HIGHEPSS 0.3%CWE-863

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

07 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

WeKan · WeKan

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 https://wekan.fi/https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards