PatchSiren cyber security CVE debrief
CVE-2026-25562 Wekan Project CVE debrief
CVE-2026-25562 is an information disclosure vulnerability in Wekan versions prior to 8.19. The vulnerability occurs in the attachments publication, allowing for attachment metadata to be returned without proper scoping to boards and cards accessible to the requesting user. This could potentially expose attachment metadata to unauthorized users. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. Users of Wekan versions prior to 8.19 should be aware of this vulnerability and take steps to mitigate it, including upgrading to version 8.19 or later and reviewing access controls for attachment metadata. The CVE record and NVD entry provide further context, but additional review is necessary to understand the full scope of affected systems and required mitigations.
- Vendor
- Wekan Project
- Product
- Wekan
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-07
- Advisory updated
- 2026-07-14
Who should care
Users of Wekan versions prior to 8.19, particularly those with administrative access to attachment metadata, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 8.19 or later and reviewing access controls for attachment metadata. Additionally, security teams and vulnerability management teams should review the CVE record and NVD entry to understand the full scope of affected systems and required mitigations.
Technical summary
The vulnerability is caused by a lack of proper scoping in the attachments publication of Wekan versions prior to 8.19. This allows for attachment metadata to be returned without ensuring that the requesting user has access to the boards and cards associated with the attachments. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. To exploit this vulnerability, an attacker would need to send a crafted request to the attachments publication endpoint, potentially allowing them to access sensitive attachment metadata. Users should upgrade to Wekan version 8.19 or later to remediate this vulnerability. Additional defensive measures include reviewing access controls for attachment metadata and monitoring for suspicious activity related to attachment metadata.
Defensive priority
Medium priority should be given to remediating this vulnerability, as it could potentially expose sensitive information to unauthorized users. However, the actual priority may vary depending on the specific deployment and exposure of Wekan versions prior to 8.19 in the environment.
Recommended defensive actions
- Upgrade to Wekan version 8.19 or later
- Review access controls for attachment metadata
- Monitor for suspicious activity related to attachment metadata
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-02-07T22:16:01.627Z and last modified on 2026-07-14T16:16:54.437Z. The NVD entry is currently Analyzed. The information disclosure vulnerability in Wekan versions prior to 8.19 occurs due to improper scoping of attachment metadata in the attachments publication. This allows unauthorized users to potentially access attachment metadata. Evidence from the CVE record and NVD entry supports this analysis, but further verification is needed to confirm affected deployments and assess operational impact.
Official resources
-
CVE-2026-25562 CVE record
CVE.org
-
CVE-2026-25562 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:01.627Z and has not been modified since then. The NVD entry is currently Analyzed.