CVE-2026-25567 Overview
CVE-2026-25567 is an Insecure Direct Object Reference (IDOR) vulnerability affecting WeKan, the open-source kanban board application. The vulnerability exists in the card comment creation API endpoint, which improperly accepts an authorId parameter from the request body. This design flaw allows any authenticated user to spoof the recorded comment author by supplying another user's identifier, effectively impersonating other users in the system's comment history.
Critical Impact
Authenticated attackers can forge comments that appear to be authored by any user on the WeKan instance, potentially enabling social engineering attacks, reputation damage, or manipulation of audit trails within project boards.
Affected Products
- WeKan versions prior to 8.19
- wekan_project wekan (all platforms)
Discovery Timeline
- 2026-02-07 - CVE-2026-25567 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-25567
Vulnerability Analysis
The vulnerability stems from a classic IDOR pattern where the API endpoint trusts user-supplied input for authoritative data that should be server-controlled. In the affected versions of WeKan, the card comment creation API accepts an authorId parameter directly from the HTTP request body. The server fails to validate that the authenticated user's session identity matches the provided authorId, allowing any authenticated user to create comments attributed to arbitrary users.
This type of vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where security-critical authorization decisions rely on user-controllable input rather than server-side session data.
Root Cause
The root cause lies in the models/cardComments.js file where the API route handler accepted the authorId as a client-supplied parameter. The endpoint trusted the incoming request to provide an honest author identifier rather than deriving the comment author from the authenticated session context. This architectural mistake allowed the client to specify any user ID, bypassing the implicit authorization that a user can only post comments as themselves.
Attack Vector
The attack requires network access and valid authentication credentials to the WeKan instance. An attacker with a legitimate account can exploit this vulnerability by:
- Authenticating to the WeKan instance with their own credentials
- Identifying the target user's ID (which may be discoverable through the application interface)
- Crafting an API request to create a card comment
- Replacing their own authorId with the target user's ID in the request body
- The comment is created and attributed to the target user
The following patch from the official fix demonstrates the remediation:
*
* @param {string} boardId the board ID of the card
* @param {string} cardId the ID of the card
- * @param {string} authorId the user who 'posted' the comment
- * @param {string} text the content of the comment
+ * @param {string} comment the content of the comment
* @return_type {_id: string}
*/
JsonRoutes.add(
Source: GitHub Wekan Commit
Detection Methods for CVE-2026-25567
Indicators of Compromise
- Comments appearing from users who report they did not create them
- Audit logs showing comment creation API calls where the authenticated user differs from the authorId parameter
- Unusual patterns of comments attributed to privileged users or administrators
- User complaints about unauthorized statements attributed to their accounts
Detection Strategies
- Implement API request logging that captures both the authenticated session user and any authorId parameter in comment creation requests
- Create alerts for mismatches between the authenticated user and submitted authorId values
- Review historical comment data for patterns that may indicate past exploitation
- Monitor for reconnaissance activity targeting user ID enumeration
Monitoring Recommendations
- Enable detailed API access logging for all card comment endpoints
- Configure SIEM rules to detect identity spoofing patterns in WeKan API traffic
- Establish baseline behavior for comment creation patterns per user
- Implement real-time alerting for any API requests containing authorId parameters that differ from session identity
How to Mitigate CVE-2026-25567
Immediate Actions Required
- Upgrade WeKan to version 8.19 or later immediately
- Review recent comment activity for signs of author spoofing
- Audit API access logs for any exploitation attempts
- Notify users if spoofed comments are discovered on their behalf
Patch Information
The WeKan development team has addressed this vulnerability in version 8.19. The fix removes the client-controllable authorId parameter from the API endpoint, ensuring that comment authorship is derived from the authenticated session context. The security patch is available via the official GitHub commit.
Organizations should update to the patched version as soon as possible. The VulnCheck advisory provides additional details on the vulnerability.
Workarounds
- Restrict network access to WeKan instances to trusted users and networks only
- Implement a Web Application Firewall (WAF) rule to strip or reject authorId parameters from comment creation API requests
- Enable enhanced logging and monitoring while awaiting patch deployment
- Consider temporarily disabling the comment API if comment functionality is not critical
# Example: Restrict access to WeKan at the network level (nginx)
# Add to nginx server block to limit access to trusted networks
location /api/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://wekan_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
