Primary

Context

WeKan Authorization Vulnerability Allowing Read-Only Users to Update Cards

Vulnerability

A vulnerability exists in WeKan versions prior to 8.19, where certain card update API endpoints improperly validate authorization. These endpoints only check if a user has read access to a board, rather than requiring write permission. As a result, users with read-only roles can update cards in ways that should only be possible for users with write access.

Impact

Exploitation of this vulnerability allows users with read-only roles to update cards on boards, bypassing the intended access controls that restrict such actions to users with write permissions.

Remediation

Users can upgrade to WeKan version 8.19 or later to address this vulnerability.

Added: Feb 7, 2026, 10:21 PM

Updated: Feb 7, 2026, 10:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.5

remediation

0.0

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.5

remediation

0.0

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeKan Authorization Vulnerability Allowing Read-Only Users to Update Cards

Vulnerability

Impact

Remediation

Affected Products

WeKan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating