CVE-2026-25560
Published: 07 February 2026
Summary
CVE-2026-25560 is a critical-severity LDAP Injection (CWE-90) vulnerability in Wekan Project Wekan. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied username inputs before incorporation into LDAP search filters and DN values to prevent injection attacks.
Ensures timely identification, reporting, and correction of the specific LDAP filter injection flaw through patching to version 8.19 or equivalent remediation.
Generates audit records for authentication events, enabling detection of anomalous LDAP query manipulations or unauthorized access attempts via crafted inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LDAP filter injection in public-facing WeKan auth component directly enables remote unauthenticated exploitation for initial access (T1190) and allows crafted queries to enumerate domain accounts from the directory (T1087.002).
NVD Description
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
Deeper analysisAI
CVE-2026-25560 is an LDAP filter injection vulnerability (CWE-90) affecting WeKan versions prior to 8.19. The flaw exists in the LDAP authentication component, where user-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping. This allows attackers to manipulate LDAP queries during the authentication process. The vulnerability was published on 2026-02-07 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious username inputs, attackers can alter LDAP search filters and DN values, potentially bypassing authentication controls or extracting sensitive directory information from the LDAP server.
The issue is addressed in WeKan version 8.19 through a fix in GitHub commit 0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb. Additional details on the vulnerability and mitigation are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection and on the WeKan website at https://wekan.fi/.
Details
- CWE(s)