Description
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.
Published: 2026-01-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User enumeration and information disclosure via LDAP injection
Action: Immediate Patch
AI Analysis

Impact

Kanboard’s LDAP authentication in versions 1.2.48 and earlier accepts unsanitized user input directly in LDAP search filters, enabling an attacker to execute LDAP injection. This flaw permits enumeration of all LDAP users and the retrieval of sensitive attributes, exposing confidential information and facilitating targeted attacks against specific accounts. The weakness maps to CWE-90 (LDAP injection) and CWE-200 (information exposure).

Affected Systems

The vulnerability affects Kanboard project management software from the kanboard vendor, specifically versions 1.2.48 and all lower releases. The issue is resolved in version 1.2.49 and later.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS lower than 1%, the exploit likelihood is modest, and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the attacker to reach the LDAP authentication endpoint and supply crafted input; it does not necessitate elevated privileges or remote code execution. Thus, the risk is moderate, primarily impacting confidentiality by revealing user data.

Generated by OpenCVE AI on April 18, 2026 at 07:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.49 or newer.
  • If an upgrade cannot occur immediately, restrict access to the LDAP authentication interface to trusted administrators only.
  • Configure Kanboard’s LDAP settings to enforce strict input validation or use a whitelist of allowed characters to prevent injection attempts.

Generated by OpenCVE AI on April 18, 2026 at 07:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Thu, 08 Jan 2026 01:30:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.
Title Kanboard LDAP Injection Vulnerability can Lead to User Enumeration and Information Disclosure
Weaknesses CWE-200
CWE-90
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:29:16.406Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21880

cve-icon Vulnrichment

Updated: 2026-01-08T18:28:57.981Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T02:15:53.650

Modified: 2026-01-20T18:38:16.523

Link: CVE-2026-21880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses