Insecure Direct Object Reference in WeKan by Wekan
CVE-2026-25567

5.3MEDIUM

Key Information:

Vendor

Wekan

Status
Wekan
Vendor
CVE Published:
7 February 2026

What is CVE-2026-25567?

WeKan versions below 8.19 contain a vulnerability in the card comment creation API, allowing authenticated users to exploit an insecure direct object reference. By manipulating the authorId parameter in the request body, users can spoof comments under different author identifiers, potentially misleading users and misrepresenting comment origins. This issue necessitates immediate attention to ensure proper validation of user input to maintain the integrity of comments within the application.

Affected Version(s)

WeKan 0 < 8.19

References

https://github.com/wekan/wekan/commit/67cb47173c1a152d9ea...
patch
https://wekan.fi/
product
https://www.vulncheck.com/advisories/wekan-card-comment-a...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers
.