Kanboard security vulnerability allows login as any user
Kanboard contains three security vulnerabilities. The most serious allows logging in as any user. An update is available.
(Image: heise online / Kanboard)
The open-source Kanban Kanboard is affected by three vulnerabilities. One of them is considered a critical risk by the developers and allows logging in as any user – provided a specific configuration option is set.
The release announcement for Kanboard 1.2.49 mentions several security-relevant fixes. There are also CVE entries for the vulnerabilities. If the REVERSE_PROXY_AUTH option was enabled, Kanboard blindly trusts HTTP headers as originating from authenticated users without checking if the request comes from a trusted reverse proxy (CVE-2026-21881, CVSS 9.1, risk “critical”). This effectively allows bypassing authentication.
Kanboard: also medium-severity vulnerabilities
Furthermore, attackers can inject their input into LDAP search filters that are not correctly filtered. This allows iterating through all LDAP users and discovering sensitive user attributes, and using this knowledge to carry out targeted attacks against specific accounts (CVE-2026-21880, CVSS 5.4, risk “medium”). An open redirect vulnerability allows attackers to redirect authenticated users to websites they control by creating URLs of the form “//evil.com,” thus bypassing the URL filter. This also allows for phishing attacks, credential theft, or malware distribution (CVE-2026-21879, CVSS 4.7, risk “medium”).
Videos by heise
The developers are fixing all these problems in Kanboard 1.2.49. The updated sources are available on the Kanboard GitHub page. Linux distributions are expected to follow shortly with new, bug-fixed packages. IT administrators should use their distribution's package manager to search for updates.
Most recently, a highly critical vulnerability in Kanboard was discovered last June. It allowed attackers to take over Kanboard accounts.
(dmk)
