PatchSiren cyber security CVE debrief
CVE-2026-25568 Wekan Project CVE debrief
CVE-2026-25568 is an authorization logic vulnerability in Wekan versions prior to 8.19. The instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time, allowing users to create public boards when it is enabled. This vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Affected users should review and adjust the allowPrivateOnly setting and monitor for suspicious activity.
- Vendor
- Wekan Project
- Product
- Wekan
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-07
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-07
- Advisory updated
- 2026-07-14
Who should care
Users of Wekan versions prior to 8.19, particularly those with administrative privileges, should be aware of this vulnerability and take steps to mitigate it. They should review and adjust the allowPrivateOnly setting, monitor for suspicious activity, and update to version 8.19 or later.
Technical summary
The CVE-2026-25568 vulnerability in Wekan versions prior to 8.19 is caused by incomplete server-side enforcement of the allowPrivateOnly setting. This allows users to create public boards even when the setting is enabled. Affected users should review and adjust the allowPrivateOnly setting and monitor for suspicious activity. Updating to version 8.19 or later mitigates this vulnerability. Users with administrative privileges should prioritize updating Wekan and review compensating controls for exposed systems. This vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.
Defensive priority
High priority should be given to updating Wekan to version 8.19 or later to mitigate this vulnerability and reviewing compensating controls for exposed systems.
Recommended defensive actions
- Update Wekan to version 8.19 or later
- Review and adjust the allowPrivateOnly setting
- Monitor for suspicious activity
- Review compensating controls for exposed systems
- Check relevant monitoring, detection, and logs for exposed assets
- Track exceptions and retest remediated assets
- Confirm whether affected product deployments exist in managed environments
Evidence notes
The CVE record was published on 2026-02-07T22:16:02.467Z and was last modified on 2026-07-14T16:16:55.160Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify affected product deployments and review official advisories.
Official resources
-
CVE-2026-25568 CVE record
CVE.org
-
CVE-2026-25568 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-07T22:16:02.467Z and has not been modified since then. The NVD entry is currently Analyzed.