Kanboard: Security gap enables account takeover

The developers have patched a high-risk vulnerability in the open-source Kanban software Kanboard with an updated software version. Attackers can use it to take over Kanboard accounts.

The Kanboard developers discuss the vulnerability in a security announcement in the GitHub repository. “Kanboard allows password reset emails to be sent with URLs originating from the unverified host header if the 'application_url' configuration is not set – which is Kanboard's default setting. Attackers can create a malicious password reset link that forwards the token to an attacker-controlled domain. If victims – including administrators – click on the maliciously crafted link, attackers can take over the account. This affects all users who initiate a password reset while 'application_url' is not set”, they write there (CVE-2025-52560 / EUVD-2025-18976, CVSS 8.1, risk “high”).

Kanboard: Vulnerable versions

Apparently, some social engineering is also required to persuade potential victims to request a password reset. The bug impacts Kanboard before the current version 1.2.46. The developers released the update on Sunday. In addition to this security fix, the release notes for Kanboard 1.2.46 list other bug fixes and some new functions. One important note is that PHP 7.4 is no longer supported, Kanboard 1.2.46 requires at least PHP 8.1; the Docker image uses PHP 8.4 by default.

Admins should install the update promptly, as the risk rating is “high”. The Kanboard developers provide updated sources and also Docker containers, they link to them in the release notes and discuss the Docker update.

(dmk)