Kanboard
CVE-2026-58660
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.
AnalysisAI
Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one project move, corrupt, or hide tasks in any other project on the same instance, including private projects they have no role on. The BoardAjaxController save() drag-and-drop endpoint checks the caller's role against the attacker-supplied project_id but never confirms the supplied task_id belongs to that project, and because task IDs are sequential integers shared instance-wide they are trivially enumerable. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, identify all Kanboard instances in production and confirm their versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The applic
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 8.8), this vul
Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation rest
Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul
Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul
Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentic
Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this v
Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS
Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS
Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.3), this v
Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plai
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today