CVE-2026-41454
Published: 22 April 2026
Summary
CVE-2026-41454 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing privilege verification in WeKan's Integration REST API endpoints.
AC-6 enforces least privilege, ensuring authenticated board members cannot perform administrative actions on integrations without necessary permissions.
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating this authorization vulnerability through patching to WeKan 8.35 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in REST API allows authenticated low-priv users to perform admin actions on integrations (privilege escalation via T1068); remote network-accessible flaw in web app enables exploitation of public-facing application (T1190).
NVD Description
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete…
more
existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.
Deeper analysisAI
CVE-2026-41454 is a missing authorization vulnerability (CWE-862) affecting WeKan versions prior to 8.35, specifically in the Integration REST API endpoints handled by JsonRoutes REST handlers. The flaw stems from insufficient privilege verification, enabling authenticated board members to perform administrative actions on integrations without proper checks. It has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An attacker with low-privilege access as an authenticated board member can exploit this vulnerability remotely without user interaction. Successful exploitation allows enumeration of integrations, including exposure of sensitive webhook URLs; creation of new integrations; modification or deletion of existing ones; and management of integration activities. This could lead to unauthorized data access, manipulation of external service connections, or disruption of board-related workflows.
Mitigation involves upgrading to WeKan version 8.35 or later, as detailed in the project's release notes and the associated GitHub commit that addresses the authorization checks. Additional guidance is available in the VulnCheck advisory on the WeKan missing authorization issue via the Integration REST API.
Details
- CWE(s)