Unrated severityNVD Advisory· Published Feb 7, 2026· Updated Mar 5, 2026

WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation

CVE-2026-25564

Description

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

Affected products

Wekan/Wekanv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9acmitrepatch
www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validationmitrethird-party-advisory
wekan.fimitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000