CVE Catalog

CVE-2026-25567

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

An IDOR vulnerability in the card comment creation API of WeKan versions prior to 8.19 allows an authenticated user to spoof the comment author by supplying another user's identifier in the request. This compromises data integrity.

Risk Assessment

The organization faces manipulation of comment history, potentially leading to misinformation, privilege escalation, or impersonation of other users. This can undermine trust in the system and audit integrity.

Recommendation

Immediately upgrade WeKan to version 8.19 or later, which fixes the vulnerability. If upgrading is not possible, restrict access to the comment creation API to trusted users only.

Original NVD description (English source)

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS