Authorization Logic Vulnerability in WeKan by WeKan
CVE-2026-25568

7.1HIGH

Key Information:

Vendor: Wekan
Status: Wekan
Vendor: CVE Published:; 7 February 2026

What is CVE-2026-25568?

WeKan versions prior to 8.19 exhibit an authorization logic flaw that compromises the enforcement of the 'allowPrivateOnly' instance configuration. This issue allows users to create public boards even when private settings are intended, revealing a gap in server-side validation during board creation. The vulnerability arises from insufficient checks that fail to restrict access appropriately, thus posing a risk of unintentional data exposure for users expecting privacy.

Affected Version(s)

WeKan 0 < 8.19

References

https://github.com/wekan/wekan/commit/7ed76c180ede46ab1da...

patch

https://wekan.fi/

product

https://www.vulncheck.com/advisories/wekan-allowprivateon...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2026
Vulnerability Reserved
Feb 2, 2026

Credit

Joshua Rogers

CVE-2026-25568 Data

JSON

Wekan

What is CVE-2026-25568?

Affected Version(s)

References

CVSS V4

Timeline

Credit