Primary

Context

WeKan Insecure Direct Object Reference Vulnerability Allowing Comment Author Spoofing

Vulnerability

Patched

A vulnerability exists in WeKan versions prior to 8.19, where an insecure direct object reference (IDOR) is present in the card comment creation API. The issue allows authenticated users to spoof the author of a comment by providing another user's author ID. This vulnerability arises because the API endpoint accepts user-controlled author IDs in the request body, enabling the manipulation of comment attribution.

Impact

Exploitation of this vulnerability allows for unauthorized modification of comment authorship, potentially leading to misinformation or misrepresentation of user contributions within the application.

Remediation

Users can upgrade to WeKan version 8.19 or later to address this vulnerability.

Added: Feb 7, 2026, 10:19 PM

Updated: Feb 7, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.5

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.5

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeKan Insecure Direct Object Reference Vulnerability Allowing Comment Author Spoofing

Vulnerability

Impact

Remediation

Affected Products

WeKan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating