PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25562 Wekan Project CVE debrief

CVE-2026-25562 is an information disclosure vulnerability in Wekan versions prior to 8.19. The vulnerability occurs in the attachments publication, allowing for attachment metadata to be returned without proper scoping to boards and cards accessible to the requesting user. This could potentially expose attachment metadata to unauthorized users. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. Users of Wekan versions prior to 8.19 should be aware of this vulnerability and take steps to mitigate it, including upgrading to version 8.19 or later and reviewing access controls for attachment metadata. The CVE record and NVD entry provide further context, but additional review is necessary to understand the full scope of affected systems and required mitigations.

Vendor
Wekan Project
Product
Wekan
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-07
Original CVE updated
2026-07-14
Advisory published
2026-02-07
Advisory updated
2026-07-14

Who should care

Users of Wekan versions prior to 8.19, particularly those with administrative access to attachment metadata, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 8.19 or later and reviewing access controls for attachment metadata. Additionally, security teams and vulnerability management teams should review the CVE record and NVD entry to understand the full scope of affected systems and required mitigations.

Technical summary

The vulnerability is caused by a lack of proper scoping in the attachments publication of Wekan versions prior to 8.19. This allows for attachment metadata to be returned without ensuring that the requesting user has access to the boards and cards associated with the attachments. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. To exploit this vulnerability, an attacker would need to send a crafted request to the attachments publication endpoint, potentially allowing them to access sensitive attachment metadata. Users should upgrade to Wekan version 8.19 or later to remediate this vulnerability. Additional defensive measures include reviewing access controls for attachment metadata and monitoring for suspicious activity related to attachment metadata.

Defensive priority

Medium priority should be given to remediating this vulnerability, as it could potentially expose sensitive information to unauthorized users. However, the actual priority may vary depending on the specific deployment and exposure of Wekan versions prior to 8.19 in the environment.

Recommended defensive actions

  • Upgrade to Wekan version 8.19 or later
  • Review access controls for attachment metadata
  • Monitor for suspicious activity related to attachment metadata
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-02-07T22:16:01.627Z and last modified on 2026-07-14T16:16:54.437Z. The NVD entry is currently Analyzed. The information disclosure vulnerability in Wekan versions prior to 8.19 occurs due to improper scoping of attachment metadata in the attachments publication. This allows unauthorized users to potentially access attachment metadata. Evidence from the CVE record and NVD entry supports this analysis, but further verification is needed to confirm affected deployments and assess operational impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:01.627Z and has not been modified since then. The NVD entry is currently Analyzed.