CVE-2026-25859
Published: 07 February 2026
Summary
CVE-2026-25859 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for logical access, directly addressing the insufficient permission checks allowing non-admin users to perform migration operations in Wekan.
AC-6 enforces least privilege, ensuring non-administrative users cannot access or execute privileged migration functionality that alters board data or configurations.
AC-5 requires separation of duties for sensitive functions like migrations, preventing low-privilege users from performing administrative operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient permission checks (CWE-863) in the migration feature of a public-facing web app allow authenticated low-privileged users to perform admin-only data operations, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190) with resulting impact on board data confidentiality/integrity/availability.
NVD Description
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
Deeper analysisAI
CVE-2026-25859 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) affecting Wekan, an open-source kanban board application, in versions prior to 8.20. The issue stems from insufficient permission checks (CWE-863) in the migration functionality, which allows non-administrative users to access and perform migration operations that should be restricted to administrators. Published on 2026-02-07, this flaw enables unauthorized actions on board data or configurations during migrations.
An authenticated non-administrative user with network access to a vulnerable Wekan instance can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants the attacker high-impact privileges over confidentiality, integrity, and availability, potentially allowing them to execute unauthorized migrations that alter, delete, or extract sensitive board data, user information, or entire workspaces without administrative oversight.
Mitigation involves upgrading to Wekan version 8.20 or later, where a fixing commit (cbb1cd78de3e40264a5e047ace0ce27f8635b4e6) addresses the permission checks in the migration functionality, as detailed on the Wekan GitHub repository. Additional guidance is available from the official Wekan website (wekan.fi) and VulnCheck's advisory on the insufficient permission checks in migration features.
Details
- CWE(s)