CVE Catalog

CVE-2026-25568

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile - higher than 9% of all known CVEs

Summary

In WeKan versions prior to 8.19, there is an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

Risk Assessment

The risk is that an organization may inadvertently expose sensitive data because users can create public boards despite the allowPrivateOnly setting being enabled, leading to potential information leakage.

Recommendation

It is recommended to immediately upgrade WeKan to version 8.19 or later, which includes a fix that enforces the allowPrivateOnly setting during board creation.

Original NVD description (English source)

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS