PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25567 Wekan Project CVE debrief

CVE-2026-25567 is an insecure direct object reference (IDOR) vulnerability in the card comment creation API of Wekan versions prior to 8.19. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. This vulnerability could potentially be used to manipulate the recorded authors of comments, which could have implications for the integrity of the information stored in Wekan. Users should be cautious and take steps to mitigate this vulnerability.

Vendor
Wekan Project
Product
Wekan
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-07
Original CVE updated
2026-07-14
Advisory published
2026-02-07
Advisory updated
2026-07-14

Who should care

Users of Wekan versions prior to 8.19 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 8.19 or later, and monitoring for potential exploitation attempts. Additionally, operators, platform administrators, and security teams should review the vulnerability and take necessary actions to protect their systems.

Technical summary

The CVE-2026-25567 vulnerability is caused by the insecure direct object reference (IDOR) in the card comment creation API of Wekan. The API accepts an authorId from the request body, which allows an authenticated user to spoof the recorded comment author by supplying another user's identifier. This could potentially be used to manipulate the recorded authors of comments, which could have implications for the integrity of the information stored in Wekan. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.

Defensive priority

Medium

Recommended defensive actions

  • Update Wekan to version 8.19 or later
  • Monitor for potential exploitation attempts
  • Restrict access to the card comment creation API
  • Implement additional authentication and authorization checks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE-2026-25567 vulnerability was identified in Wekan versions prior to 8.19. The vulnerability is caused by the insecure direct object reference (IDOR) in the card comment creation API. The API accepts an authorId from the request body, which allows an authenticated user to spoof the recorded comment author by supplying another user's identifier. The evidence for this vulnerability is limited to the information provided in the CVE record and the NVD detail.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.333Z and has not been modified since then.