Description
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.
Published: 2026-01-08
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect enabling phishing, credential theft, and malware distribution
Action: Patch
AI Analysis

Impact

Kanboard versions 1.2.48 and earlier allow an attacker to craft protocol‑relative URLs such as //evil.com that bypass the built‑in URL validation and result in an Open Redirect. The redirect is performed for authenticated users and can be leveraged to load phishing pages, steal credentials, or serve malicious payloads. The weakness is a classic URL validation flaw (CWE-601).

Affected Systems

The affected product is Kanboard. All releases up to and including 1.2.48 are vulnerable. The issue is resolved by installing version 1.2.49 or later.

Risk and Exploitability

With a CVSS score of 4.7 the threat is moderate; the EPSS score is below 1 % indicating limited exploitation probability at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers must send a crafted link to an authenticated user, but no special eligibility beyond possession of a valid account is required. Failure to remediate may allow phishing campaigns to target users within the application.

Generated by OpenCVE AI on April 18, 2026 at 16:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-provided upgrade to Kanboard 1.2.49 or later where the redirect flaw is fixed.
  • Implement a temporary fix that rejects or rewrites protocol‑relative URLs on the server side, ensuring that all redirects contain a full scheme such as https://.
  • Enable monitoring of redirect URLs and educate users about the risks of following untrusted links; consider disabling optional redirect features if the application permits.

Generated by OpenCVE AI on April 18, 2026 at 16:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Thu, 08 Jan 2026 01:30:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below are vulnerable to an Open Redirect attack that allows malicious actors to redirect authenticated users to attacker-controlled websites. By crafting URLs such as //evil.com, attackers can bypass the filter_var($url, FILTER_VALIDATE_URL) validation check. This vulnerability could be exploited to conduct phishing attacks, steal user credentials, or distribute malware. The issue is fixed in version 1.2.49.
Title Kanboard vulnerable to Open Redirect via protocol-relative URLs
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:34:42.665Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21879

cve-icon Vulnrichment

Updated: 2026-01-08T18:34:24.332Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T02:15:53.490

Modified: 2026-01-20T18:15:10.597

Link: CVE-2026-21879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses