CVE-2026-41454
HIGHWeKan < 8.35 Missing Authorization via Integration REST API
Title source: cnaDescription
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api
Release Notes release-notes
https://github.com/wekan/wekan/releases/tag/v8.35
Scores
CVSS v3
8.3
EPSS
0.0027
EPSS Percentile
19.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
wekan/wekan
< 8.35.0
wekan/wekan
2cd702f48df2b8aef0e7381685f8e089986a18a4
Published
Apr 22, 2026
Tracked Since
Apr 23, 2026