Scan free
CRITICALCVE-2024-51747CVSS 9.1

CVE-2024-51747: Arbitrary File Access in Kanboard

Platform

php

Component

kanboard

Fixed in

1.2.43

AI Confidence: highNVDEPSS 2.0%Reviewed: May 2026
View on NVD
Save

CVE-2024-51747 describes a critical Arbitrary File Access vulnerability affecting Kanboard project management software versions up to 1.2.42. An authenticated administrator can exploit this flaw to read and delete arbitrary files on the server, potentially leading to complete data compromise. The vulnerability stems from insecure handling of file paths within the project database, allowing for path traversal attacks. A fix is available in version 1.2.42.

Impact and Attack Scenarios

This vulnerability poses a significant risk to Kanboard deployments. An attacker, once authenticated as an administrator, can leverage path traversal techniques to access and delete any file accessible by the web server process. This includes sensitive configuration files, database backups, and potentially even system files. The impact extends beyond simple data theft; an attacker could potentially gain complete control over the server by modifying critical system files or executing arbitrary code through file inclusion vulnerabilities. The ability to delete files also allows for denial-of-service attacks and data destruction, severely disrupting project management operations.

Exploitation Context

CVE-2024-51747 was publicly disclosed on 2024-11-11. There is currently no indication of active exploitation in the wild, but the ease of exploitation and the critical severity warrant immediate attention. No KEV listing exists as of this writing. Public proof-of-concept code is likely to emerge given the vulnerability's nature and the lack of authentication requirements beyond admin access.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.98% (84% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentkanboard
Vendorkanboard
Affected rangeFixed in
< 1.2.42 – < 1.2.421.2.43

Weakness Classification (CWE)

CWE-22CWE-27

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to immediately upgrade Kanboard to version 1.2.42 or later. If upgrading is not immediately feasible due to compatibility issues or downtime constraints, consider implementing temporary workarounds. Restrict file upload permissions to the Kanboard user account, minimizing the potential attack surface. Implement strict input validation on all file paths used within the application to prevent path traversal attempts. Monitor web server access logs for suspicious file access patterns, particularly requests containing directory traversal sequences (e.g., '../'). After upgrading, verify the fix by attempting to access a file outside the intended project directory through the file attachment feature; access should be denied.

How to fix

Update Kanboard to version 1.2.42 or higher. This version contains the fix for the arbitrary file read and delete vulnerability. The update can be performed through the Kanboard administration panel or by downloading the latest version of the software and replacing the existing files.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-51747 — Arbitrary File Access in Kanboard?

CVE-2024-51747 is a critical vulnerability in Kanboard versions up to 1.2.42 allowing authenticated admins to read and delete arbitrary files on the server via path traversal.

Am I affected by CVE-2024-51747 in Kanboard?

Yes, if you are running Kanboard version 1.2.42 or earlier, you are vulnerable to this Arbitrary File Access issue.

How do I fix CVE-2024-51747 in Kanboard?

Upgrade Kanboard to version 1.2.42 or later to resolve this vulnerability. Implement temporary workarounds like restricting file upload permissions if immediate upgrade is not possible.

Is CVE-2024-51747 being actively exploited?

There is currently no confirmed active exploitation, but the vulnerability's severity and ease of exploitation suggest it could be targeted soon.

Where can I find the official Kanboard advisory for CVE-2024-51747?

Refer to the Kanboard security advisory on their official website or GitHub repository for detailed information and updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs