CVE-2026-25568

EPSS 0.03%
Veröffentlicht 07.02.2026 21:59:13
Zuletzt bearbeitet 10.02.2026 21:55:34
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wekan Project ≫ Wekan Version < 8.19

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.073

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
disclosure@vulncheck.com	7.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://wekan.fi/

Product

https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8

Patch

https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-25568

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25568

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25568

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25568