PatchSiren cyber security CVE debrief
CVE-2026-25563 Wekan Project CVE debrief
CVE-2026-25563 is an insecure direct object reference (IDOR) vulnerability in Wekan checklist creation and related routes. The issue allows cross-board ID tampering by manipulating identifiers. Wekan versions prior to 8.19 are affected. This vulnerability has a High severity with a CVSS score of 7.1. Users of Wekan should apply the patch or upgrade to version 8.19 or later to prevent cross-board ID tampering attacks.
- Vendor
- Wekan Project
- Product
- Wekan
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-07
- Advisory updated
- 2026-07-14
Who should care
Users of Wekan versions prior to 8.19 should apply the patch or upgrade to version 8.19 or later to prevent cross-board ID tampering attacks. Wekan administrators and security teams should review the vulnerability and apply the necessary patches or mitigations to prevent exploitation.
Technical summary
The vulnerability exists in the checklist creation and related routes of Wekan. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing attackers to manipulate identifiers and access unauthorized data. This insecure direct object reference (IDOR) vulnerability can be exploited by attackers to gain unauthorized access to sensitive data. Wekan versions prior to 8.19 are affected, and users should apply the patch or upgrade to version 8.19 or later to prevent cross-board ID tampering attacks. The CVE record was published on 2026-02-07T22:16:01.767Z and was last modified on 2026-07-14T16:16:54.553Z. The NVD entry is currently Analyzed.
Defensive priority
High
Recommended defensive actions
- Apply the patch from https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14
- Upgrade to Wekan version 8.19 or later
- Monitor for suspicious activity on Wekan boards and checklists
- Restrict access to sensitive data and routes
- Implement additional security measures to prevent IDOR attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-07T22:16:01.767Z and was last modified on 2026-07-14T16:16:54.553Z. The NVD entry is currently Analyzed. The evidence for this CVE is based on the NVD entry and the official CVE record. The affected product is Wekan, and the vulnerability allows cross-board ID tampering by manipulating identifiers. The CVE was assigned based on the severity of the vulnerability, which is High with a CVSS score of 7.1.
Official resources
-
CVE-2026-25563 CVE record
CVE.org
-
CVE-2026-25563 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:01.767Z and has not been modified since then. The NVD entry is currently Analyzed.