ByteOS Network

NVD Vulnerability Details :

CVE-2026-41454

Deferred

Source-disclosure@vulncheck.com

Published At-22 Apr, 2026 | 22:16

Updated At-23 Apr, 2026 | 16:27

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.7	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	8.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Type: Secondary

Version: 4.0

Base score: 8.7

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 8.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Weaknesses

CWE ID	Type	Source
CWE-862	Primary	disclosure@vulncheck.com

CWE ID: CWE-862

Type: Primary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4	disclosure@vulncheck.com	N/A
https://github.com/wekan/wekan/releases/tag/v8.35	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api	disclosure@vulncheck.com	N/A