CVE-2026-25564

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac	Patch
https://wekan.fi/	Product
https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:24

Type	Values Removed	Values Added
Summary		(es) Las versiones de WeKan anteriores a la 8.19 contienen una referencia directa insegura a objetos (IDOR) en la creación de listas de verificación y en las rutas de listas de verificación relacionadas. La implementación no verifica que el cardId proporcionado pertenezca al boardId proporcionado, lo que permite la alteración de ID entre tableros mediante la manipulación de identificadores.

10 Feb 2026, 21:58

Type	Values Removed	Values Added
References	~~() https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac -~~	() https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac - Patch
References	~~() https://wekan.fi/ -~~	() https://wekan.fi/ - Product
References	~~() https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation -~~	() https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation - Third Party Advisory
CPE		cpe:2.3:a:wekan_project:wekan::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Wekan Project wekan Wekan Project

07 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-07 22:16

Updated : 2026-06-17 10:24

NVD link : CVE-2026-25564

Mitre link : CVE-2026-25564

CVE.ORG link : CVE-2026-25564

JSON object : View

Products Affected

wekan_project

wekan

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

7.5 /10