Insecure Direct Object Reference in WeKan Affects User Data Management
CVE-2026-25564

7.1HIGH

Key Information:

Vendor: Wekan
Status: Wekan
Vendor: CVE Published:; 7 February 2026

What is CVE-2026-25564?

WeKan versions prior to 8.19 are susceptible to an insecure direct object reference (IDOR) vulnerability. This issue arises in the checklist creation process, where the application fails to verify the association between the provided cardId and the corresponding boardId. As a result, attackers can manipulate identifiers, allowing cross-board ID tampering. This flaw undermines the integrity of checklist routes, potentially leading to unauthorized access and alterations to user data across different boards.

Affected Version(s)

WeKan 0 < 8.19

References

https://github.com/wekan/wekan/commit/08a6f084eba09487743...

patch

https://wekan.fi/

product

https://www.vulncheck.com/advisories/wekan-checklist-dele...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2026
Vulnerability Reserved
Feb 2, 2026

Credit

Joshua Rogers

CVE-2026-25564 Data

JSON

Wekan

What is CVE-2026-25564?

Affected Version(s)

References

CVSS V4

Timeline

Credit