CVE-2026-25561 HIGH

CVE-2026-25561: WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass

Vendor Wekan

Product WeKan

Weakness CWE-863 · Incorrect authorization

Published February 7, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.

Key dates

02Disclosure timeline

February 7, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25561 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-25561: WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass

01Description

02Disclosure timeline

03References

04Related CVE