CVE-2026-25568
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk9th percentile - higher than 9% of all known CVEs
Summary
In WeKan versions prior to 8.19, there is an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
Risk Assessment
The risk is that an organization may inadvertently expose sensitive data because users can create public boards despite the allowPrivateOnly setting being enabled, leading to potential information leakage.
Recommendation
It is recommended to immediately upgrade WeKan to version 8.19 or later, which includes a fix that enforces the allowPrivateOnly setting during board creation.
Original NVD description (English source)
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

