Primary

Context

WeKan Authorization Weakness in Attachment Upload API Allowing Object Relationship Validation Bypass

Vulnerability

Patched

A vulnerability exists in WeKan versions prior to 8.19, where the attachment upload API fails to properly validate the consistency of provided identifiers, such as boardId, cardId, swimlaneId, and listId. This lack of validation allows for the upload of attachments with mismatched object relationships, creating an authorization weakness.

Impact

Exploitation of this vulnerability could lead to incorrect associations between attachments and their respective cards or boards, potentially causing confusion or mismanagement of tasks within the application.

Remediation

Users can upgrade to WeKan version 8.19 or later to address this vulnerability.

Added: Feb 7, 2026, 10:23 PM

Updated: Feb 7, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

5.9

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

5.9

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeKan Authorization Weakness in Attachment Upload API Allowing Object Relationship Validation Bypass

Vulnerability

Impact

Remediation

Affected Products

WeKan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating