Skip to main content

Kanboard EUVDEUVD-2026-39526

| CVE-2026-56774 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-25 VulnCheck GHSA-vvjm-mjq4-27c8
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible endpoint requires a low-privilege authenticated account (PR:L); no confidentiality impact; session deletion yields minor integrity and availability degradation only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 18:58 vuln.today
Analysis Generated
Jun 25, 2026 - 18:58 vuln.today

DescriptionCVE.org

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.

AnalysisAI

Authenticated session hijacking via IDOR in Kanboard through 1.2.52 allows any low-privilege user to mass-invalidate the persistent 'Remember Me' sessions of arbitrary users, including administrators, by enumerating sequential integer session IDs against the unguarded removeSession endpoint. The root-cause fix - scoping RememberMeSessionModel::remove() to the requesting user's own user_id - is confirmed in commit 928c68a via PR #5831. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Kanboard account
Delivery
Observe own Remember Me session ID from HTTP traffic
Exploit
Enumerate sequential integer IDs via removeSession endpoint
Execution
Delete arbitrary users' persistent sessions
Impact
Force administrator and user re-authentication

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Kanboard account with at minimum low-privilege access - unauthenticated exploitation is not possible per the CVSS PR:L designation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N - score 5.3 Medium) accurately reflects the threat model: network-accessible, low complexity, requiring only a valid low-privilege account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege Kanboard user inspects their browser's network traffic to identify their own Remember Me session ID after login, discovering it is a small sequential integer. The attacker then scripts a loop issuing DELETE-equivalent requests to the `removeSession` endpoint across a range of IDs (e.g., 1-10000), invalidating persistent sessions for all users including administrators. …
Remediation Update Kanboard to a build that includes commit 928c68aa2b7c00092dd71084d329b912e229f3d1 (PR #5831, https://github.com/kanboard/kanboard/pull/5831); self-hosted instances should pull from the patched HEAD or await a tagged release from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-21881 CRITICAL POC
9.1 Jan 08

Kanboard project management (through 1.2.48) has an authentication bypass when REVERSE_PROXY_AUTH is enabled. The applic

CVE-2023-36813 HIGH POC
8.8 Jul 05

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 8.8), this vul

CVE-2026-25924 HIGH POC
8.4 Feb 11

Remote code execution in Kanboard prior to 1.2.50 allows authenticated administrators to bypass plugin installation rest

CVE-2025-52560 HIGH POC
8.1 Jun 24

Kanboard prior to version 1.2.46 contains a host header injection vulnerability that allows unauthenticated attackers to

CVE-2026-58660 HIGH POC
7.2 Jul 15

Broken object-level authorization in Kanboard through 1.2.52 lets any authenticated user who belongs to at least one pro

CVE-2024-51748 HIGH POC
7.2 Nov 11

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul

CVE-2024-51747 HIGH POC
7.2 Nov 11

Kanboard is project management software that focuses on the Kanban methodology. Rated high severity (CVSS 7.2), this vul

CVE-2014-3920 MEDIUM POC
6.8 Jul 03

Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentic

CVE-2024-55603 MEDIUM POC
6.5 Dec 19

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.5), this v

CVE-2023-33970 MEDIUM POC
6.5 Jun 05

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS

CVE-2023-33956 MEDIUM POC
6.5 Jun 05

Kanboard is open source project management software that focuses on the Kanban methodology. Rated medium severity (CVSS

CVE-2024-36399 MEDIUM POC
6.3 Jun 06

Kanboard is project management software that focuses on the Kanban methodology. Rated medium severity (CVSS 6.3), this v

Share

EUVD-2026-39526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy