AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-25561: WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully vali

highvulnerability

security

Source: NVD/CVE DatabaseFebruary 7, 2026CVE-2026-25561

Summary

WeKan versions before 8.19 have a bug in the attachment upload API where it doesn't properly check that the identifiers (like boardId, cardId, and listId) match up correctly, allowing attackers to upload attachments that don't belong together. This is an authorization weakness (CWE-863, a flaw in access control), rated as HIGH severity, that requires the attacker to already have login credentials to exploit.

Solution / Mitigation

Update to WeKan version 8.19 or later. A patch is available at https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8.

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-863

CAPEC (Attack Pattern)

CAPEC-122

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25561

First tracked: February 15, 2026 at 08:52 PM

Classified by LLM (prompt v3) · confidence: 95%