PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25566 Wekan Project CVE debrief

CVE-2026-25566 is a high-severity vulnerability in Wekan versions prior to 8.19, allowing unauthorized cross-board card moves due to inadequate authorization checks. Users can specify a destination board/list/swimlane without proper validation, potentially enabling unauthorized actions. This vulnerability affects Wekan's card move logic, where users can manipulate destination objects without adequate authorization, leading to potential security breaches. Administrators and users of Wekan versions prior to 8.19 should be aware of this vulnerability and take necessary actions to mitigate the risk. The vulnerability has a CVSS score of 7.1 and is considered high-severity.

Vendor
Wekan Project
Product
Wekan
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-07
Original CVE updated
2026-07-14
Advisory published
2026-02-07
Advisory updated
2026-07-14

Who should care

Administrators and users of Wekan versions prior to 8.19 should be aware of this vulnerability and take necessary actions to mitigate the risk. This includes updating Wekan to version 8.19 or later, reviewing and adjusting authorization settings for card move logic, and monitoring for suspicious cross-board card move activities. Additionally, security teams and vulnerability management teams should be aware of this vulnerability and prioritize mitigation efforts.

Technical summary

The vulnerability exists in the card move logic of Wekan, where users can specify a destination board/list/swimlane without adequate authorization checks. This allows potentially unauthorized cross-board moves, as the system fails to validate that destination objects belong to the destination board. The vulnerability has a CVSS score of 7.1 and is considered high-severity. Wekan versions prior to 8.19 are affected by this vulnerability. The vulnerability can be mitigated by updating Wekan to version 8.19 or later.

Defensive priority

High priority should be given to updating Wekan to version 8.19 or later to address this vulnerability. Additionally, security teams should review and adjust authorization settings for card move logic, and monitor for suspicious cross-board card move activities.

Recommended defensive actions

  • Update Wekan to version 8.19 or later
  • Review and adjust authorization settings for card move logic
  • Monitor for suspicious cross-board card move activities
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, while the source item URL offers additional context. The patch reference on GitHub and the product page on Wekan.fi provide further resources for mitigation and understanding the affected product. The vulnerability has a CVSS score of 7.1 and is considered high-severity. Wekan versions prior to 8.19 are affected by this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.190Z and has not been modified since.