Cyber Resilience

CVE-2026-25560

HighPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25560 is a high-severity LDAP Injection (CWE-90) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25560 is an LDAP filter injection vulnerability (CWE-90) affecting WeKan versions prior to 8.19. The flaw exists in the LDAP authentication component, where user-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping. This allows attackers to manipulate LDAP queries during the authentication process. The vulnerability was published on 2026-02-07 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious username inputs, attackers can alter LDAP search filters and DN values, potentially bypassing authentication controls or extracting sensitive directory information from the LDAP server.

The issue is addressed in WeKan version 8.19 through a fix in GitHub commit 0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb. Additional details on the vulnerability and mitigation are available in the VulnCheck advisory at https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection and on the WeKan website at https://wekan.fi/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1087.002 Domain Account Discovery
Adversaries may attempt to get a listing of domain accounts.
Why these techniques?

LDAP filter injection in public-facing WeKan auth component directly enables remote unauthenticated exploitation for initial access (T1190) and allows crafted queries to enumerate domain accounts from the directory (T1087.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-30846Same product: Wekan Project Wekan
CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-25859Same product: Wekan Project Wekan
CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-30844Same product: Wekan Project Wekan
CVE-2026-2206Same product: Wekan Project Wekan

Affected Assets

wekan project
wekan
≤ 8.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-supplied username inputs before incorporation into LDAP search filters and DN values to prevent injection attacks.

prevent

Ensures timely identification, reporting, and correction of the specific LDAP filter injection flaw through patching to version 8.19 or equivalent remediation.

detect

Generates audit records for authentication events, enabling detection of anomalous LDAP query manipulations or unauthorized access attempts via crafted inputs.

References