CVE-2026-25563
Published: 07 February 2026
Summary
CVE-2026-25563 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wekan Project Wekan. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25563 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting WeKan versions prior to 8.19. The flaw exists in checklist creation and related checklist routes, where the implementation fails to verify that the supplied cardId belongs to the supplied boardId. This allows attackers to manipulate identifiers for cross-board tampering. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no authentication requirements.
Unauthenticated attackers can exploit this vulnerability remotely by supplying tampered cardId and boardId parameters in checklist-related API requests. Successful exploitation enables cross-board manipulation of checklists, such as creating or modifying checklists on cards in boards to which the attacker lacks access, resulting in unauthorized integrity violations without impacting confidentiality or availability.
Mitigation is available in WeKan version 8.19 and later, as detailed in the patching commit at https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14. Security practitioners should upgrade affected instances immediately. Additional details on the vulnerability and remediation are provided in the Vulncheck advisory at https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor and on the WeKan website at https://wekan.fi/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5709
Vulnerability details
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote IDOR flaw in the public-facing WeKan web application directly enables exploitation via T1190 (Exploit Public-Facing Application), allowing parameter tampering to achieve unauthorized cross-board data modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks to ensure the supplied cardId is valid for the given boardId before allowing checklist operations.
Requires validation of supplied identifiers (cardId/boardId) to reject tampered cross-board references during checklist creation.
Enforces information flow rules between board/card objects so that checklist modifications cannot cross unauthorized boundaries.