PatchSiren cyber security CVE debrief
CVE-2026-25567 Wekan Project CVE debrief
CVE-2026-25567 is an insecure direct object reference (IDOR) vulnerability in the card comment creation API of Wekan versions prior to 8.19. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier. This vulnerability could potentially be used to manipulate the recorded authors of comments, which could have implications for the integrity of the information stored in Wekan. Users should be cautious and take steps to mitigate this vulnerability.
- Vendor
- Wekan Project
- Product
- Wekan
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-07
- Advisory updated
- 2026-07-14
Who should care
Users of Wekan versions prior to 8.19 should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 8.19 or later, and monitoring for potential exploitation attempts. Additionally, operators, platform administrators, and security teams should review the vulnerability and take necessary actions to protect their systems.
Technical summary
The CVE-2026-25567 vulnerability is caused by the insecure direct object reference (IDOR) in the card comment creation API of Wekan. The API accepts an authorId from the request body, which allows an authenticated user to spoof the recorded comment author by supplying another user's identifier. This could potentially be used to manipulate the recorded authors of comments, which could have implications for the integrity of the information stored in Wekan. The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM.
Defensive priority
Medium
Recommended defensive actions
- Update Wekan to version 8.19 or later
- Monitor for potential exploitation attempts
- Restrict access to the card comment creation API
- Implement additional authentication and authorization checks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE-2026-25567 vulnerability was identified in Wekan versions prior to 8.19. The vulnerability is caused by the insecure direct object reference (IDOR) in the card comment creation API. The API accepts an authorId from the request body, which allows an authenticated user to spoof the recorded comment author by supplying another user's identifier. The evidence for this vulnerability is limited to the information provided in the CVE record and the NVD detail.
Official resources
-
CVE-2026-25567 CVE record
CVE.org
-
CVE-2026-25567 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.333Z and has not been modified since then.