PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-25568 Wekan Project CVE debrief

CVE-2026-25568 is an authorization logic vulnerability in Wekan versions prior to 8.19. The instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time, allowing users to create public boards when it is enabled. This vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Affected users should review and adjust the allowPrivateOnly setting and monitor for suspicious activity.

Vendor
Wekan Project
Product
Wekan
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-07
Original CVE updated
2026-07-14
Advisory published
2026-02-07
Advisory updated
2026-07-14

Who should care

Users of Wekan versions prior to 8.19, particularly those with administrative privileges, should be aware of this vulnerability and take steps to mitigate it. They should review and adjust the allowPrivateOnly setting, monitor for suspicious activity, and update to version 8.19 or later.

Technical summary

The CVE-2026-25568 vulnerability in Wekan versions prior to 8.19 is caused by incomplete server-side enforcement of the allowPrivateOnly setting. This allows users to create public boards even when the setting is enabled. Affected users should review and adjust the allowPrivateOnly setting and monitor for suspicious activity. Updating to version 8.19 or later mitigates this vulnerability. Users with administrative privileges should prioritize updating Wekan and review compensating controls for exposed systems. This vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Defensive priority

High priority should be given to updating Wekan to version 8.19 or later to mitigate this vulnerability and reviewing compensating controls for exposed systems.

Recommended defensive actions

  • Update Wekan to version 8.19 or later
  • Review and adjust the allowPrivateOnly setting
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems
  • Check relevant monitoring, detection, and logs for exposed assets
  • Track exceptions and retest remediated assets
  • Confirm whether affected product deployments exist in managed environments

Evidence notes

The CVE record was published on 2026-02-07T22:16:02.467Z and was last modified on 2026-07-14T16:16:55.160Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected product deployments and review official advisories.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.467Z and has not been modified since then. The NVD entry is currently Analyzed.