Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50.
Published: 2026-02-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data disclosure
Action: Apply patch
AI Analysis

Impact

The vulnerability arises because the getSwimlane API method in Kanboard does not enforce project-level authorization checks. An authenticated user can invoke the API and retrieve swimlane data from any project, including those they should not be able to view. This results in the disclosure of confidential project information to unauthorized users. The weakness is classified as CWE-639, which describes an authorization bypass through user‑controlled input.

Affected Systems

Kanboard project‑management software, product kanboard produced by kanboard, is affected. Any installation running a version prior to 1.2.50 is vulnerable. The patch was released in version 1.2.50.

Risk and Exploitability

The CVSS score for this issue is 4.3, indicating a medium impact. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. It is not present in the CISA KEV catalog. Because the flaw requires an authenticated user, an attacker would need valid credentials or exploit a legitimate login process to provoke the cross‑project data retrieval.

Generated by OpenCVE AI on April 17, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.50 or later, which adds the missing authorization check to the getSwimlane API.
  • Review and ensure user permissions restrict access to projects accordingly, preventing unauthorized cross‑project data disclosure.
  • Monitor authentication logs for unusual API usage patterns that may indicate attempts to access multiple projects.

Generated by OpenCVE AI on April 17, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50.
Title Kanboard is missing authorization check in getSwimlane API allows cross-project data access
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T17:06:13.410Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25530

cve-icon Vulnrichment

Updated: 2026-02-10T17:06:09.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T17:16:21.910

Modified: 2026-02-13T20:21:29.700

Link: CVE-2026-25530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses