Cyber Resilience

CVE-2026-41454

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 19.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41454 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-41454 is a missing authorization vulnerability (CWE-862) affecting WeKan versions prior to 8.35, specifically in the Integration REST API endpoints handled by JsonRoutes REST handlers. The flaw stems from insufficient privilege verification, enabling authenticated board members to perform administrative actions on integrations without proper checks. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An attacker with low-privilege access as an authenticated board member can exploit this vulnerability remotely without user interaction. Successful exploitation allows enumeration of integrations, including exposure of sensitive webhook URLs; creation of new integrations; modification or deletion of existing ones; and management of integration activities. This could lead to unauthorized data access, manipulation of external service connections, or disruption of board-related workflows.

Mitigation involves upgrading to WeKan version 8.35 or later, as detailed in the project's release notes and the associated GitHub commit that addresses the authorization checks. Additional guidance is available in the VulnCheck advisory on the WeKan missing authorization issue via the Integration REST API.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete…

more

existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in REST API allows authenticated low-priv users to perform admin actions on integrations (privilege escalation via T1068); remote network-accessible flaw in web app enables exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2110Shared CWE-862
CVE-2026-39432Shared CWE-862
CVE-2026-22683Shared CWE-862
CVE-2022-45830Shared CWE-862
CVE-2025-6754Shared CWE-862
CVE-2026-2001Shared CWE-862
CVE-2025-15041Shared CWE-862
CVE-2025-13313Shared CWE-862
CVE-2025-2266Shared CWE-862
CVE-2025-6380Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing privilege verification in WeKan's Integration REST API endpoints.

prevent

AC-6 enforces least privilege, ensuring authenticated board members cannot perform administrative actions on integrations without necessary permissions.

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this authorization vulnerability through patching to WeKan 8.35 or later.

References