{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rest-api/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-41454"}],"_cs_exploited":false,"_cs_products":["WeKan"],"_cs_severities":["high"],"_cs_tags":["wekan","missing-authorization","rest-api","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["WeKan"],"content_html":"\u003cp\u003eWeKan, a collaborative Kanban board application, is vulnerable to a missing authorization issue in versions prior to 8.35. This flaw resides within the Integration REST API endpoints, where authenticated board members can execute administrative actions without sufficient privilege validation.  An attacker, if they are an authenticated user, can exploit this vulnerability to enumerate integrations, including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities. The root cause is insufficient authorization checks within the JsonRoutes REST handlers. Successful exploitation can lead to unauthorized access to sensitive information and modification of board configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a WeKan board member account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WeKan application via the standard login procedure.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint without proper administrative privileges.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization checks, the request is processed, and the attacker is able to enumerate existing integrations, including sensitive webhook URLs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint to create a new, malicious integration (e.g., a webhook that sends data to an external attacker-controlled server).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies existing integrations to redirect data flow to attacker-controlled endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes legitimate integrations, disrupting board functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker manages integration activities, potentially triggering malicious actions or gaining further information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to perform administrative actions on WeKan boards without proper authorization. This can lead to the exposure of sensitive webhook URLs, unauthorized modification or deletion of integrations, and the creation of malicious integrations for data exfiltration or disruption. The CVSS v3.1 score of 8.3 indicates a high severity vulnerability with significant potential for data compromise and system impact. The number of affected WeKan installations is currently unknown, but organizations using WeKan for project management and collaboration are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeKan to version 8.35 or later to patch CVE-2026-41454, addressing the missing authorization vulnerability as detailed in the \u003ca href=\"#references\"\u003ereference links\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WeKan Integration API Abuse\u0026rdquo; to identify potential exploitation attempts against the Integration REST API endpoints, monitoring webserver logs for unusual API requests.\u003c/li\u003e\n\u003cli\u003eReview and restrict access rights for WeKan board members, ensuring that only authorized personnel have administrative privileges to minimize the attack surface as outlined in the \u003ca href=\"#overview\"\u003eoverview\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/api/integration\u003c/code\u003e with methods like POST, PUT, and DELETE originating from non-admin users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:00:00Z","date_published":"2026-04-23T10:00:00Z","id":"/briefs/2026-04-wekan-missing-auth/","summary":"WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints, allowing authenticated board members to perform administrative actions without proper privilege verification, potentially leading to unauthorized data access and modification.","title":"WeKan Missing Authorization Vulnerability in Integration REST API","url":"https://feed.craftedsignal.io/briefs/2026-04-wekan-missing-auth/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7042"}],"_cs_exploited":false,"_cs_products":["MiroFish"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7042","authentication-bypass","rest-api"],"_cs_type":"advisory","_cs_vendors":["666ghj"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, tracked as CVE-2026-7042, has been identified in 666ghj MiroFish software up to version 0.1.2. The vulnerability lies within the \u003ccode\u003ecreate_app\u003c/code\u003e function of the \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file, which manages the REST API Endpoint. A remote attacker can exploit this flaw by manipulating specific parameters within API requests, effectively bypassing authentication mechanisms. This allows unauthorized access to sensitive functionalities and data. Public exploits are available, increasing the risk of widespread exploitation. The vendor was notified, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the REST API Endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates parameters intended for the \u003ccode\u003ecreate_app\u003c/code\u003e function, specifically designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ecreate_app\u003c/code\u003e function fails to properly validate the request due to the missing authentication check.\u003c/li\u003e\n\u003cli\u003eThe application grants unauthorized access to protected resources or functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as data exfiltration, modification, or deletion, depending on the exposed API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to further compromise the system or pivot to other internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7042 allows an attacker to bypass authentication controls in MiroFish applications. This can lead to unauthorized access to sensitive data, modification of application settings, or complete system compromise. The lack of authentication on the REST API endpoint can have severe implications for data confidentiality, integrity, and availability. Given the availability of a public exploit, affected organizations are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting the REST API Endpoint with unusual parameters, using the provided Sigma rule that detects anomalous HTTP methods in webserver logs.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from 666ghj to address CVE-2026-7042 immediately.\u003c/li\u003e\n\u003cli\u003eReview the affected \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file for authentication logic flaws and implement necessary security measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mirofish-auth-bypass/","summary":"A missing authentication vulnerability (CVE-2026-7042) exists in 666ghj MiroFish up to version 0.1.2, allowing remote attackers to bypass authentication via manipulation of the REST API Endpoint's create_app function.","title":"666ghj MiroFish REST API Authentication Bypass (CVE-2026-7042)","url":"https://feed.craftedsignal.io/briefs/2024-01-mirofish-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Rest-Api","version":"https://jsonfeed.org/version/1.1"}