Plataforma
php
Componente
kanboard
Corregido en
1.2.51
CVE-2026-24885 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Kanboard, a project management software utilizing the Kanban methodology. This flaw allows unauthorized modification of project user roles if an authenticated administrator visits a malicious website. The vulnerability impacts Kanboard versions 1.2.50 and earlier, and a fix is available in version 1.2.50.
The primary impact of CVE-2026-24885 is the potential for unauthorized modification of project user roles within Kanboard. An attacker could craft a malicious form, leveraging the application's failure to strictly enforce the application/json Content-Type for the changeUserRole action. By tricking an authenticated administrator into visiting this form, the attacker can execute arbitrary actions as that administrator, potentially granting themselves elevated privileges or manipulating project assignments. This could lead to data breaches, project disruption, or unauthorized access to sensitive information managed within Kanboard.
CVE-2026-24885 was publicly disclosed on 2026-02-10. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's CVSS score of 5.7 (MEDIUM) suggests a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Kanboard for project management, particularly those with administrative users who frequently interact with external websites or applications, are at risk. Shared hosting environments where multiple Kanboard instances reside on the same server could also be vulnerable if one instance is compromised.
• php: Examine Kanboard application logs for suspicious requests with Content-Type: text/plain targeting the changeUserRole endpoint. Use PHP's built-in logging to monitor for unusual activity.
// Example: Monitor for text/plain Content-Type
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] === 'text/plain') {
error_log('Suspicious request: text/plain Content-Type detected for changeUserRole');
}disclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-24885 is to upgrade Kanboard to version 1.2.50 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which Kanboard can load resources. Additionally, carefully review and validate all user input to prevent malicious requests. While a WAF might offer some protection, it is not a substitute for patching the vulnerability.
Actualice Kanboard a la versión 1.2.50 o superior. Esta versión corrige la vulnerabilidad CSRF al validar correctamente el Content-Type de las solicitudes. La actualización impedirá que atacantes modifiquen roles de usuario sin autorización.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-24885 is a Cross-Site Request Forgery (CSRF) vulnerability in Kanboard project management software, allowing unauthorized modification of project user roles.
Yes, if you are running Kanboard version 1.2.50 or earlier, you are affected by this vulnerability.
Upgrade Kanboard to version 1.2.50 or later to resolve the CSRF vulnerability. Consider implementing a Content Security Policy (CSP) as an interim measure.
No active exploitation has been confirmed at this time, but the vulnerability's potential impact warrants prompt mitigation.
Refer to the Kanboard security advisories on their official website or GitHub repository for the latest information and updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.