CVE-2026-25567

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.19

Description WeKan contains an insecure direct object reference (IDOR) in the card comment creation API. The API endpoint accepts an authorId from the request body, which allows an authenticated user to spoof the recorded comment author by providing another user's identifier.

Recommendations Update WeKan to version 8.19 or later.