Cyber Resilience

CVE-2026-25859

HighPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 26.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25859 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Wekan Project Wekan. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25859 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting Wekan, an open-source kanban board application, in versions prior to 8.20. The issue stems from insufficient permission checks (CWE-863) in the migration functionality, which allows non-administrative users to access and perform migration operations that should be restricted to administrators. Published on 2026-02-07, this flaw enables unauthorized actions on board data or configurations during migrations.

An authenticated non-administrative user with network access to a vulnerable Wekan instance can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants the attacker high-impact privileges over confidentiality, integrity, and availability, potentially allowing them to execute unauthorized migrations that alter, delete, or extract sensitive board data, user information, or entire workspaces without administrative oversight.

Mitigation involves upgrading to Wekan version 8.20 or later, where a fixing commit (cbb1cd78de3e40264a5e047ace0ce27f8635b4e6) addresses the permission checks in the migration functionality, as detailed on the Wekan GitHub repository. Additional guidance is available from the official Wekan website (wekan.fi) and VulnCheck's advisory on the insufficient permission checks in migration features.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Insufficient permission checks (CWE-863) in the migration feature of a public-facing web app allow authenticated low-privileged users to perform admin-only data operations, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190) with resulting impact on board data confidentiality/integrity/availability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-2206Same product: Wekan Project Wekan
CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-30846Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-25560Same product: Wekan Project Wekan
CVE-2026-30844Same product: Wekan Project Wekan

Affected Assets

wekan project
wekan
≤ 8.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for logical access, directly addressing the insufficient permission checks allowing non-admin users to perform migration operations in Wekan.

prevent

AC-6 enforces least privilege, ensuring non-administrative users cannot access or execute privileged migration functionality that alters board data or configurations.

prevent

AC-5 requires separation of duties for sensitive functions like migrations, preventing low-privilege users from performing administrative operations.

References