CVE-2026-25567
Published: 07 February 2026
Summary
CVE-2026-25567 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wekan Project Wekan. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5705
Vulnerability details
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another…
more
user's identifier.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR enables direct stored comment authorship manipulation (T1565.001) and user impersonation via spoofed authorId (T1656).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.