Platform
php
Component
kanboard
Fixed in
1.2.51
CVE-2026-24885 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Kanboard, a project management software utilizing the Kanban methodology. This flaw allows unauthorized modification of project user roles if an authenticated administrator visits a malicious website. The vulnerability impacts Kanboard versions 1.2.50 and earlier, and a fix is available in version 1.2.50.
The primary impact of CVE-2026-24885 is the potential for unauthorized modification of project user roles within Kanboard. An attacker could craft a malicious form, leveraging the application's failure to strictly enforce the application/json Content-Type for the changeUserRole action. By tricking an authenticated administrator into visiting this form, the attacker can execute arbitrary actions as that administrator, potentially granting themselves elevated privileges or manipulating project assignments. This could lead to data breaches, project disruption, or unauthorized access to sensitive information managed within Kanboard.
CVE-2026-24885 was publicly disclosed on 2026-02-10. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's CVSS score of 5.7 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24885 is to upgrade Kanboard to version 1.2.50 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which Kanboard can load resources. Additionally, carefully review and validate all user input to prevent malicious requests. While a WAF might offer some protection, it is not a substitute for patching the vulnerability.
Update Kanboard to version 1.2.50 or higher. This version corrects the CSRF vulnerability by correctly validating the Content-Type of requests. The update will prevent attackers from modifying user roles without authorization.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24885 is a Cross-Site Request Forgery (CSRF) vulnerability in Kanboard project management software, allowing unauthorized modification of project user roles.
Yes, if you are running Kanboard version 1.2.50 or earlier, you are affected by this vulnerability.
Upgrade Kanboard to version 1.2.50 or later to resolve the CSRF vulnerability. Consider implementing a Content Security Policy (CSP) as an interim measure.
No active exploitation has been confirmed at this time, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Kanboard security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.