CVE-2026-25563
Published: 07 February 2026
Summary
CVE-2026-25563 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wekan Project Wekan. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote IDOR flaw in the public-facing WeKan web application directly enables exploitation via T1190 (Exploit Public-Facing Application), allowing parameter tampering to achieve unauthorized cross-board data modification.
NVD Description
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
Deeper analysisAI
CVE-2026-25563 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting WeKan versions prior to 8.19. The flaw exists in checklist creation and related checklist routes, where the implementation fails to verify that the supplied cardId belongs to the supplied boardId. This allows attackers to manipulate identifiers for cross-board tampering. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no authentication requirements.
Unauthenticated attackers can exploit this vulnerability remotely by supplying tampered cardId and boardId parameters in checklist-related API requests. Successful exploitation enables cross-board manipulation of checklists, such as creating or modifying checklists on cards in boards to which the attacker lacks access, resulting in unauthorized integrity violations without impacting confidentiality or availability.
Mitigation is available in WeKan version 8.19 and later, as detailed in the patching commit at https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14. Security practitioners should upgrade affected instances immediately. Additional details on the vulnerability and remediation are provided in the Vulncheck advisory at https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor and on the WeKan website at https://wekan.fi/.
Details
- CWE(s)