Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.
Published: 2026-02-10
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Access Control Bypass via CSRF
Action: Immediate Patch
AI Analysis

Impact

Kanboard implements a project authorization module that allows administrators to assign roles to users. Before version 1.2.50, the controller that handles role changes does not enforce the Content-Type header for the request body, accepting text/plain even though the body is JSON. An attacker can send a forged request from a malicious webpage that sets the Content-Type to text/plain and post JSON data, exploiting CSRF. The result is that an authenticated administrator who inadvertently visits a malicious site can have the role of a user changed without knowing it, effectively elevating or delegating privileges.

Affected Systems

All installations of Kanboard earlier than 1.2.50 are affected. The product is distributed under the project name Kanboard, version 1.0 through 1.2.49. The applicable vendor/product is kanboard:kanboard, as reflected in the CNA listing. No additional versions or distributions are mentioned.

Risk and Exploitability

The CVSS base score of 5.7 indicates moderate severity with an attacker authenticating as an administrator to perform the action. EPSS is reported as < 1%, suggesting the likelihood of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an authenticated admin, a web page capable of sending a POST request to the changeUserRole endpoint, and the ability to coerce the admin to visit that page. Once a request is sent, the server process accepts it because it does not check the Content-Type, allowing the role change API to be invoked with attacker-supplied JSON.

Generated by OpenCVE AI on April 17, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.50 or later to apply the vendor‑provided fix.
  • Configure the web server to reject POST requests with the Content-Type header set to text/plain when targeting the changeUserRole endpoint.
  • Monitor administrator accounts for unexpected role changes and review logs for calls to the role‑assignment API.

Generated by OpenCVE AI on April 17, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.
Title Kanboard Affected by Cross-Site Request Forgery (CSRF) via Content-Type Misconfiguration in Project Role Assignment
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T17:27:35.020Z

Reserved: 2026-01-27T19:35:20.528Z

Link: CVE-2026-24885

cve-icon Vulnrichment

Updated: 2026-02-10T17:27:26.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T17:16:20.940

Modified: 2026-02-13T20:19:00.370

Link: CVE-2026-24885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses