CVE-2026-25565 HIGH

CVE-2026-25565: WeKan < 8.19 Read-only Board Roles Can Update Cards

Vendor Wekan

Product WeKan

Weakness CWE-863 · Incorrect authorization

Published February 7, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

Key dates

02Disclosure timeline

February 7, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25565 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-25565: WeKan < 8.19 Read-only Board Roles Can Update Cards

01Description

02Disclosure timeline

03References

04Related CVE