Primary

Context

Wekan Unauthenticated Board Sort Update Vulnerability Allowing Arbitrary Reordering

Vulnerability

Patched

A vulnerability exists in Wekan, the open-source kanban board system, in versions prior to 18.15. It allows unauthenticated users to update a board's sort value, as the permission check does not verify user identity. This flaw enables arbitrary reordering of boards.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in board order, potentially disrupting user organization and workflow.

Reproduction

To reproduce this vulnerability, access a Wekan instance running a version prior to 18.15. Navigate to the 'All Boards' or 'Public Boards' page. Without authentication, send a request to update the sort value of a board. The change will be applied, demonstrating the lack of proper user verification.

Remediation

Users can update to Wekan version 18.16 or later, where this vulnerability has been fixed.

Added: Dec 15, 2025, 2:24 PM

Updated: Dec 15, 2025, 6:58 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

9.1

remediation

7.7

relevance

1.4

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

9.1

remediation

7.7

relevance

1.4

threat

4.8

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wekan Unauthenticated Board Sort Update Vulnerability Allowing Arbitrary Reordering

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Wekan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating