Scan free
CRITICALCVE-2026-21881CVSS 9.1

CVE-2026-21881: Authentication Bypass in Kanboard

Platform

php

Component

kanboard

Fixed in

1.2.50

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2026-21881 is a critical authentication bypass vulnerability affecting Kanboard project management software versions 1.2.48 and earlier. An attacker can exploit this flaw to impersonate any user, including administrators, gaining unauthorized access to sensitive project data and control over the system. The vulnerability is caused by the application's failure to properly validate HTTP headers when REVERSEPROXYAUTH is enabled. A fix is available in version 1.2.49.

Impact and Attack Scenarios

This authentication bypass vulnerability poses a significant risk to Kanboard deployments. An attacker can leverage it to gain complete control over the system by impersonating an administrator. This could lead to unauthorized modification or deletion of project data, creation of fake users, and potentially even the installation of malicious code. The blast radius extends to all data managed within the Kanboard instance, and the attacker could use this access to pivot to other systems on the network if Kanboard is integrated with other services. The ease of exploitation, requiring only the ability to craft HTTP headers, makes this a high-priority concern.

Exploitation Context

CVE-2026-21881 was publicly disclosed on 2026-01-08. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests that a PoC is likely to emerge quickly. The CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and the significant impact. It is not currently listed on CISA KEV, but its severity warrants monitoring. Active exploitation is not yet confirmed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.32% (55% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentkanboard
Vendorkanboard
Affected rangeFixed in
< 1.2.49 – < 1.2.491.2.50

Weakness Classification (CWE)

CWE-287

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-21881 is to immediately upgrade Kanboard to version 1.2.49 or later. If upgrading is not immediately feasible, disabling the REVERSEPROXYAUTH feature can reduce the attack surface, but this may impact legitimate users relying on reverse proxy authentication. Consider implementing a Web Application Firewall (WAF) with rules to filter suspicious HTTP headers, specifically those related to user authentication. Regularly review Kanboard's access logs for any unusual activity. After upgrading, confirm the fix by attempting to authenticate with a spoofed HTTP header; authentication should fail.

How to fix

Update Kanboard to version 1.2.49 or higher. This version fixes the authentication bypass vulnerability by correctly validating the origin of HTTP headers when REVERSE_PROXY_AUTH is enabled. The update prevents user impersonation, including administrators.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-21881 — Authentication Bypass in Kanboard?

CVE-2026-21881 is a critical vulnerability in Kanboard versions 1.2.48 and below that allows attackers to bypass authentication by spoofing HTTP headers, potentially impersonating administrators.

Am I affected by CVE-2026-21881 in Kanboard?

You are affected if you are using Kanboard version 1.2.48 or earlier and have REVERSEPROXYAUTH enabled. Upgrade to version 1.2.49 to mitigate the risk.

How do I fix CVE-2026-21881 in Kanboard?

The recommended fix is to upgrade Kanboard to version 1.2.49 or later. If upgrading is not possible, disable REVERSEPROXYAUTH as a temporary workaround.

Is CVE-2026-21881 being actively exploited?

Active exploitation has not been confirmed at this time, but the vulnerability's simplicity suggests it may be exploited soon.

Where can I find the official Kanboard advisory for CVE-2026-21881?

Refer to the Kanboard security advisory for detailed information and updates: [https://kanboard.org/security/advisories](https://kanboard.org/security/advisories)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs