High severity8.3NVD Advisory· Published Apr 22, 2026· Updated Apr 23, 2026

CVE-2026-41454

Description

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

Affected products

Wekan/Wekanreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4nvd
github.com/wekan/wekan/releases/tag/v8.35nvd
www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-apinvd

News mentions

No linked articles in our index yet.

cvss	0.540
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000