PatchSiren cyber security CVE debrief
CVE-2026-25566 Wekan Project CVE debrief
CVE-2026-25566 is a high-severity vulnerability in Wekan versions prior to 8.19, allowing unauthorized cross-board card moves due to inadequate authorization checks. Users can specify a destination board/list/swimlane without proper validation, potentially enabling unauthorized actions. This vulnerability affects Wekan's card move logic, where users can manipulate destination objects without adequate authorization, leading to potential security breaches. Administrators and users of Wekan versions prior to 8.19 should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability has a CVSS score of 7.1 and is considered high-severity.
- Vendor
- Wekan Project
- Product
- Wekan
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-07
- Advisory updated
- 2026-07-14
Who should care
Administrators and users of Wekan versions prior to 8.19 should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating Wekan to version 8.19 or later, reviewing and adjusting authorization settings for card move logic, and monitoring for suspicious cross-board card move activities. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and prioritize mitigation efforts.
Technical summary
The vulnerability exists in the card move logic of Wekan, where users can specify a destination board/list/swimlane without adequate authorization checks. This allows potentially unauthorized cross-board moves, as the system fails to validate that destination objects belong to the destination board. The vulnerability has a CVSS score of 7.1 and is considered high-severity. Wekan versions prior to 8.19 are affected by this vulnerability. The vulnerability can be mitigated by updating Wekan to version 8.19 or later.
Defensive priority
High priority should be given to updating Wekan to version 8.19 or later to address this vulnerability. Additionally, security teams should review and adjust authorization settings for card move logic, and monitor for suspicious cross-board card move activities.
Recommended defensive actions
- Update Wekan to version 8.19 or later
- Review and adjust authorization settings for card move logic
- Monitor for suspicious cross-board card move activities
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, while the source item URL offers additional context. The patch reference on GitHub and the product page on Wekan.fi provide further resources for mitigation and understanding the affected product. The vulnerability has a CVSS score of 7.1 and is considered high-severity. Wekan versions prior to 8.19 are affected by this vulnerability.
Official resources
-
CVE-2026-25566 CVE record
CVE.org
-
CVE-2026-25566 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.190Z and has not been modified since.