CVE-2026-25568

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8	Patch
https://wekan.fi/	Product
https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:24

Type	Values Removed	Values Added
Summary		(es) Las versiones de WeKan anteriores a la 8.19 contienen una vulnerabilidad de lógica de autorización donde la configuración de instancia allowPrivateOnly no se aplica suficientemente en el momento de la creación del tablero. Cuando allowPrivateOnly está habilitado, los usuarios aún pueden crear tableros públicos debido a una aplicación incompleta por parte del servidor.

10 Feb 2026, 21:55

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Wekan Project wekan Wekan Project
CPE		cpe:2.3:a:wekan_project:wekan::::::::
References	~~() https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8 -~~	() https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8 - Patch
References	~~() https://wekan.fi/ -~~	() https://wekan.fi/ - Product
References	~~() https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass -~~	() https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass - Third Party Advisory

07 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-07 22:16

Updated : 2026-06-17 10:24

NVD link : CVE-2026-25568

Mitre link : CVE-2026-25568

CVE.ORG link : CVE-2026-25568

JSON object : View

Products Affected

wekan_project

wekan

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-25568", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-25568", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T16:59:33.976425Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "disclosure@vulncheck.com", "affectedData": [{"repo": "https://github.com/wekan/wekan", "vendor": "WeKan", "product": "WeKan", "versions": [{"status": "affected", "version": "0", "lessThan": "8.19", "versionType": "custom"}], "defaultStatus": "unaffected"}]}], "published": "2026-02-07T22:16:02.467", "references": [{"url": "https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://wekan.fi/", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement."}, {"lang": "es", "value": "Las versiones de WeKan anteriores a la 8.19 contienen una vulnerabilidad de l\u00f3gica de autorizaci\u00f3n donde la configuraci\u00f3n de instancia allowPrivateOnly no se aplica suficientemente en el momento de la creaci\u00f3n del tablero. Cuando allowPrivateOnly est\u00e1 habilitado, los usuarios a\u00fan pueden crear tableros p\u00fablicos debido a una aplicaci\u00f3n incompleta por parte del servidor."}], "lastModified": "2026-06-17T10:24:52.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BE76E9D8-332F-4A27-9690-CEEF9504B520", "versionEndExcluding": "8.19"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}