CVE-2026-25567

WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

CVSS 5.3 MEDIUMEPSS 0.2%CWE-639

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

07 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Productos afectados

WeKan · WeKan

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d https://wekan.fi/https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid