Plattform
php
Komponente
kanboard
Behoben in
1.2.51
CVE-2026-24885 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Kanboard, a project management software utilizing the Kanban methodology. This flaw allows unauthorized modification of project user roles if an authenticated administrator visits a malicious website. The vulnerability impacts Kanboard versions 1.2.50 and earlier, and a fix is available in version 1.2.50.
The primary impact of CVE-2026-24885 is the potential for unauthorized modification of project user roles within Kanboard. An attacker could craft a malicious form, leveraging the application's failure to strictly enforce the application/json Content-Type for the changeUserRole action. By tricking an authenticated administrator into visiting this form, the attacker can execute arbitrary actions as that administrator, potentially granting themselves elevated privileges or manipulating project assignments. This could lead to data breaches, project disruption, or unauthorized access to sensitive information managed within Kanboard.
CVE-2026-24885 was publicly disclosed on 2026-02-10. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's CVSS score of 5.7 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Kanboard for project management, particularly those with administrative users who frequently interact with external websites or applications, are at risk. Shared hosting environments where multiple Kanboard instances reside on the same server could also be vulnerable if one instance is compromised.
• php: Examine Kanboard application logs for suspicious requests with Content-Type: text/plain targeting the changeUserRole endpoint. Use PHP's built-in logging to monitor for unusual activity.
// Example: Monitor for text/plain Content-Type
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] === 'text/plain') {
error_log('Suspicious request: text/plain Content-Type detected for changeUserRole');
}disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24885 is to upgrade Kanboard to version 1.2.50 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which Kanboard can load resources. Additionally, carefully review and validate all user input to prevent malicious requests. While a WAF might offer some protection, it is not a substitute for patching the vulnerability.
Aktualisieren Sie Kanboard auf Version 1.2.50 oder höher. Diese Version behebt die CSRF-Schwachstelle, indem sie den Content-Type von Requests korrekt validiert. Das Update verhindert, dass Angreifer Benutzerrollen ohne Autorisierung ändern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24885 is a Cross-Site Request Forgery (CSRF) vulnerability in Kanboard project management software, allowing unauthorized modification of project user roles.
Yes, if you are running Kanboard version 1.2.50 or earlier, you are affected by this vulnerability.
Upgrade Kanboard to version 1.2.50 or later to resolve the CSRF vulnerability. Consider implementing a Content Security Policy (CSP) as an interim measure.
No active exploitation has been confirmed at this time, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Kanboard security advisories on their official website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.