Primary

Context

WeKan Authorization Logic Vulnerability Allowing Private Board Setting Bypass

Vulnerability

Patched

A vulnerability exists in WeKan versions prior to 8.19, where the authorization logic related to the 'allowPrivateOnly' setting is not properly enforced during board creation. When 'allowPrivateOnly' is activated, users can still create public boards due to inadequate server-side validation.

Impact

Exploitation of this vulnerability allows users to create public boards even when the 'allowPrivateOnly' setting is enabled, bypassing intended access controls.

Reproduction

To reproduce this vulnerability, enable the 'allowPrivateOnly' setting in the WeKan instance configuration. Then, create a new board and set its permission to public. The board will be created successfully, despite the 'allowPrivateOnly' setting being active, demonstrating the bypass of the authorization logic.

Remediation

Users can upgrade to WeKan version 8.19 or later, where this vulnerability has been addressed.

Added: Feb 7, 2026, 10:19 PM

Updated: Feb 7, 2026, 10:19 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

6.3

remediation

7.7

relevance

2.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.3

exploitability

6.3

remediation

7.7

relevance

2.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeKan Authorization Logic Vulnerability Allowing Private Board Setting Bypass

Vulnerability

Impact

Reproduction

Remediation

Affected Products

WeKan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating