EUVD-2025-18976CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
5Description
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46.
Analysis
Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to craft malicious password reset emails with attacker-controlled URLs when the application_url configuration is unset (default state). If a victim clicks the poisoned reset link, their password reset token is leaked to the attacker's domain, enabling complete account takeover including administrative accounts. This vulnerability requires user interaction (clicking a link) but affects all users initiating password resets on vulnerable instances, making it a practical and high-impact attack vector for account compromise.
Technical Context
The vulnerability stems from improper input validation of the HTTP Host header (CWE-640: Weak Password Recovery Mechanism for Forgotten Password). Kanboard's password reset functionality dynamically constructs password reset URLs using the Host header when the application_url configuration parameter is not explicitly set. This is a classic host header injection flaw where attacker-controlled input from HTTP headers is trusted without validation. The root cause is in the email generation code that builds the reset link URL—it should either: (1) validate the Host header against a whitelist, (2) require explicit application_url configuration without fallback to unvalidated headers, or (3) use a safe canonical domain for reset links. The affected product is Kanboard project management software (CPE: purl:pkg:npm/kanboard or equivalent), specifically versions prior to 1.2.46. The vulnerability is present in the password reset email generation component.
Affected Products
Kanboard < 1.2.46 (all versions prior to 1.2.46). Specifically affected when: (1) Kanboard version is prior to 1.2.46, AND (2) the 'application_url' configuration parameter is not set (default configuration). Kanboard instances with application_url explicitly configured are not vulnerable. The vulnerability affects: - All default Kanboard installations (most at-risk) - Self-hosted Kanboard instances where administrators have not explicitly set application_url - Docker/container deployments using default configuration - Any installation using Kanboard < 1.2.46 where application_url is commented out or unset in config.php. Fixed in: Kanboard >= 1.2.46. Vendor advisory and patch should be obtained from Kanboard's official repository (github.com/kanboard/kanboard) or security announcements.
Remediation
Immediate actions: (1) Upgrade Kanboard to version 1.2.46 or later - this is the definitive fix that validates Host headers and no longer relies on unvalidated headers for password reset URLs. (2) For instances that cannot immediately upgrade, set the 'application_url' configuration parameter explicitly in config.php to your actual canonical domain (e.g., 'application_url' => 'https://kanboard.company.com'). This bypasses the vulnerable Host header fallback logic. (3) Monitor password reset activity and user login logs for suspicious patterns (logins from unusual locations or times following reset emails). (4) Consider temporarily disabling password reset functionality if the application is internet-facing and patching cannot be applied immediately. (5) Review and audit any password resets initiated while the instance was vulnerable. (6) Force password reset for all users (especially administrators) post-patching to invalidate any tokens that may have been compromised. Deployment verification: After patching to 1.2.46, verify that password reset emails contain URLs using the configured application_url or a properly validated Host header, not attacker-controlled domains.
Priority Score
Vendor Status
Debian
Bug #1112361| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| forky, sid | fixed | 1.2.51+ds-1 | - |
| (unstable) | fixed | 1.2.47+ds-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today