Wekan Vulnerability

MEDIUM (6.5) No Patch (2 days)
cwe-285aenrichauthorization-bypasskanban-boardtoken-forgerywekan

Threat Intelligence

Low Risk
EPSS Score: 0.02% chance of exploitation (percentile: 4%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Wekan is an open-source kanban board system used by organizations to manage projects and tasks. This vulnerability allows unauthorized users to forge votes in vote.positive / vote.negative arrays, enabling vote forgery and unauthorized voting. If you're using Wekan, you're at risk of having your vote counts manipulated or altered.

Am I affected?

You're affected if you use Wekan version 18.15 or earlier. To check if you're running this software, run the following command:

git ls-remote --heads origin

This will list all branches on the Wekan repository. If your branch name contains "wekan-18" or lower, you're likely affected.

Affected Products

aEnrich / a+HRD

How to fix

To fix this vulnerability, upgrade to Wekan version 18.16 or later. You can do this by:

  1. Running git pull in your Wekan repository.
  2. Updating your package manager (e.g., npm or yarn) to the latest version of Wekan.
  3. If you can't upgrade immediately:
    • Restrict network access to your Wekan instance (firewall it from the public internet).
    • Audit admin account activity for suspicious access patterns.
    • Monitor for unauthorized token creation.

References