CVE-2026-25562

MEDIUM

WeKan < 8.19 - Unauthorized Attachment Metadata Exposure via Attachments Publication

Title source: llm

Description

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

References (3)

Core 3

Core References

Patch patch

https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820

View Patch ZIP pw:eip

Product product

https://wekan.fi/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure

Scores

CVSS v3 4.3

EPSS 0.0029

EPSS Percentile 20.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-203

Status published

Products (2)

WeKan/WeKan < 8.19

wekan_project/wekan < 8.19

Published Feb 07, 2026

Tracked Since Feb 18, 2026