CVE-2025-65782 is an authorization flaw identified in Wekan, an open-source kanban board system widely used for task and project management. The vulnerability exists in the handling of card updates related to voting functionality. Specifically, authenticated board members—and potentially other authenticated users—can manipulate the vote.positive and vote.negative arrays by adding or removing arbitrary user IDs. This manipulation enables vote forgery, allowing an attacker to cast unauthorized votes or remove legitimate votes, thus compromising the integrity of the voting process on boards. The flaw does not expose confidential data nor does it disrupt system availability, but it undermines trust in collaborative decision-making. The vulnerability requires the attacker to have authenticated access to the system, but no additional user interaction is needed. The CVSS v3.1 score of 6.5 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The issue was fixed in Wekan version 18.16, so users running versions up to 18.15 are vulnerable. No known exploits are reported in the wild as of now. This vulnerability is categorized under CWE-285 (Improper Authorization), highlighting a failure to enforce proper access controls on vote manipulation operations.

For European organizations, the primary impact of this vulnerability lies in the integrity of collaborative workflows and decision-making processes. Organizations relying on Wekan for project management, task prioritization, or team voting could experience manipulated outcomes, potentially leading to misguided business decisions or internal conflicts. While the vulnerability does not directly compromise sensitive data or system availability, the erosion of trust in the voting mechanism can have operational and reputational consequences. In regulated industries or sectors with strict governance requirements, such as finance or healthcare, unauthorized vote manipulation could violate compliance mandates related to auditability and process integrity. The requirement for authenticated access limits exposure to internal or trusted users, but insider threats or compromised credentials could be leveraged to exploit this flaw. The absence of known exploits reduces immediate risk but does not preclude future attacks, especially as awareness of the vulnerability spreads.

The most effective mitigation is to upgrade Wekan installations to version 18.16 or later, where the authorization flaw has been addressed. Organizations should prioritize patching vulnerable instances promptly. Additionally, review and tighten access controls to restrict board membership and voting privileges to trusted users only. Implement monitoring and auditing of vote changes to detect anomalous patterns indicative of manipulation. Employ multi-factor authentication (MFA) to reduce the risk of credential compromise among users with voting rights. For environments where immediate patching is not feasible, consider disabling or restricting voting features temporarily. Educate users about the risks of insider threats and enforce strict credential management policies. Finally, maintain regular backups of board data to enable recovery in case of malicious alterations.