{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25566", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-02T20:12:33.397Z", "datePublished": "2026-02-07T21:58:33.259Z", "dateUpdated": "2026-05-11T23:11:14.110Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WeKan", "repo": "https://github.com/wekan/wekan", "vendor": "WeKan", "versions": [{"lessThan": "8.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.20"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves."}], "value": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:14.110Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e"}, {"tags": ["product"], "url": "https://wekan.fi/"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization"}], "source": {"discovery": "UNKNOWN"}, "title": "WeKan < 8.19 Cross-board Card Move Without Destination Authorization", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:27:11.740735Z", "id": "CVE-2026-25566", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:27:22.185Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25566", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:27:11.740735Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:27:17.684Z"}}], "cna": {"title": "WeKan < 8.19 Cross-board Card Move Without Destination Authorization", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Joshua Rogers"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/wekan/wekan", "vendor": "WeKan", "product": "WeKan", "versions": [{"status": "affected", "version": "0", "lessThan": "8.19", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e", "tags": ["patch"]}, {"url": "https://wekan.fi/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.", "supportingMedia": [{"type": "text/html", "value": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "8.20"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-11T23:11:14.110Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25566", "state": "PUBLISHED", "dateUpdated": "2026-05-11T23:11:14.110Z", "dateReserved": "2026-02-02T20:12:33.397Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-07T21:58:33.259Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "matchCriteriaId": "BE76E9D8-332F-4A27-9690-CEEF9504B520", "versionEndExcluding": "8.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves."}, {"lang": "es", "value": "Las versiones de WeKan anteriores a la 8.19 contienen una vulnerabilidad de autorizaci\u00f3n en la l\u00f3gica de movimiento de tarjetas. Un usuario puede especificar un tablero/lista/carril de destino sin comprobaciones de autorizaci\u00f3n adecuadas para el destino y sin validar que los objetos de destino pertenezcan al tablero de destino, lo que podr\u00eda permitir movimientos no autorizados entre tableros."}], "id": "CVE-2026-25566", "lastModified": "2026-02-18T20:43:46.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-07T22:16:02.190", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://wekan.fi/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:05:45.722665+00:00", "value": {"mitigation_remediation": ["Upgrade WeKan to version\u202f8.19 or later, which removes the missing authorization checks in the card move logic.", "Restrict card move permissions so only users who have authorized access to both the source and destination boards can perform moves; review and adjust role assignments accordingly.", " logging for move actions and monitor audit logs for unusual cross\u2011board card movements, reviewing suspicious activity promptly."], "summary": {"action": "Patch", "impact": "Authorization bypass allowing unauthorized cross\u2011board card movement"}, "threat_synthesis": {"affected_systems": "WeKan releases prior to version 8.19 are affected. The issue is present in the core code base and can be exercised by any user who has access to the application, regardless of the board to which they intend to move the card.", "description_and_impact": "The vulnerability resides in the card move logic of WeKan and is categorized as an authorization error (CWE\u2011863). A properly authenticated user can force a card to move to any board, list, or swimlane without the necessary permission checks against the destination. Consequently, an attacker who can control the destination parameters could transfer cards across boards they do not own, potentially leaking sensitive information or disrupting workflows.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact security flaw. The exploit probability is very low (EPSS <\u00a01%) and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not been widely exploited yet. The likely attack vector involves a user interacting with the application UI or API to submit a move request with a fabricated destination. A successful exploit would grant the attacker the ability to move cards in ways they are not authorized to, compromising confidentiality and integrity of data across boards."}}}}, "created": "2026-02-09T10:44:22.586491+00:00", "updated": "2026-04-17T22:15:29.446686+00:00", "vendors": ["wekan_project", "wekan_project$PRODUCT$wekan"]}