CVE-2026-25566

MEDIUM

WeKan < 8.19 - Incorrect Authorization in Card Move Logic

Title source: llm

Description

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.

References (3)

Core 3

Core References

Patch patch

https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e

View Patch ZIP pw:eip

Various Sources product

https://wekan.fi/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization

Scores

CVSS v3 5.4

EPSS 0.0022

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

WeKan/WeKan < 8.19

wekan_project/wekan < 8.19

Published Feb 07, 2026

Tracked Since Feb 18, 2026