Volerion logoVolerion
Volerion logoVolerion

Wekan Attachment API Identity Spoofing and Denial-of-Service Vulnerability

Vulnerability

A denial-of-service vulnerability has been identified in Wekan, an open-source kanban board system, in versions prior to 18.15. The issue arises in the attachment upload API, which improperly handles the Authorization bearer token by interpreting it as a user ID. This flaw allows for trivial application-layer denial-of-service attacks and potential identity spoofing by using arbitrary bearer tokens or user IDs.

Impact

Exploitation of this vulnerability could lead to application-layer denial-of-service conditions, such as hanging connections or excessive payloads, and allow for identity spoofing by using arbitrary bearer tokens or user IDs.

Reproduction

The vulnerability can be reproduced by sending a request to the attachment upload API with a non-empty Authorization bearer token. The API will treat the token as a user ID and bypass normal authentication, leading to denial-of-service conditions and allowing for identity spoofing.

Remediation

Users can update to Wekan version 18.16, where this vulnerability has been fixed.

Added: Dec 15, 2025, 2:20 PM
Updated: Dec 15, 2025, 6:55 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
9.1
remediation
7.7
relevance
1.5
threat
4.8
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.