CVE-2025-65779 in WeKan
Summary
by MITRE • 12/15/2025
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/15/2025
The vulnerability identified as CVE-2025-65779 affects Wekan, an open source kanban board system that has gained significant traction in collaborative project management environments. This issue represents a critical authorization flaw that undermines the integrity of board management operations within the platform. The vulnerability exists in versions up to 18.15 and has been addressed in the subsequent 18.16 release, highlighting the importance of timely security updates in collaborative software systems where multiple users may have varying permission levels.
The technical flaw manifests in the board sorting functionality where the system fails to properly validate user authentication status when processing sort value updates. Specifically, the Boards.allow method returns true regardless of whether a userId is present or authenticated, creating an authorization bypass condition. This occurs because the system does not implement proper access control checks before allowing modifications to board sort parameters, which are typically used to organize boards within a user's workspace. The flaw resides in the application's permission model and represents a classic case of insufficient authorization checks that allows unauthorized modifications to system resources.
The operational impact of this vulnerability extends beyond simple data reorganization as it provides unauthenticated attackers with the ability to manipulate board ordering in ways that could disrupt workflow processes or potentially expose sensitive information through strategic reordering. Attackers could exploit this vulnerability to reorder boards in a manner that obscures critical project information or creates confusion in collaborative environments where multiple users rely on consistent board organization. This type of manipulation could be particularly damaging in enterprise settings where project management clarity is essential for operational efficiency. The vulnerability affects all users who have access to the system's API endpoints, making it particularly concerning for publicly accessible Wekan installations.
Security practitioners should consider this vulnerability in relation to CWE-285, which addresses improper authorization issues in software systems, and aligns with ATT&CK technique T1078 for valid accounts and T1484 for legitimate credentials. Organizations using Wekan should immediately implement the patched version 18.16 and review their access control configurations to ensure that all board modification operations properly validate user authentication. Additional mitigations include implementing network-level restrictions on API endpoints, monitoring for unusual board reordering activities, and ensuring that proper user authentication mechanisms are enforced throughout the application. The vulnerability serves as a reminder of the critical importance of proper access control validation in collaborative software platforms where users may have varying levels of privileges and where unauthorized modifications could significantly impact operational integrity.