Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.
Published: 2026-02-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Exposure
Action: Patch
AI Analysis

Impact

The TaskCreationController::duplicateProjects() endpoint in Kanboard allows an authenticated user to copy tasks into projects for which they do not have permission, thereby bypassing enforced access controls. This flaw enables the user to expose task details—including identifiers, content, and metadata—that should remain confined to the target project.

Affected Systems

Kanboard, the open‑source Kanban project‑management application, is affected in every release before version 1.2.50. The finalized fix that stops this unauthorized duplication was introduced in v1.2.50; earlier releases, including those that carried the incomplete patch for a prior CVE, remain vulnerable.

Risk and Exploitability

With a CVSS score of 4.3 the vulnerability is considered moderate. Its EPSS score is below 1 % and it is not listed in the CISA KEV catalog, indicating a low likelihood of active exploitation. An attacker only needs to be authenticated and possesses the ability to access the source project; no elevated privileges are required. The impact is limited to the ability to read or modify tasks in otherwise protected projects, so overall risk to an organization is modest but remedial action is recommended.

Generated by OpenCVE AI on April 18, 2026 at 12:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.50 or later, which includes the full fix for the access‑control flaw.
  • Restrict or disable the duplicateProjects endpoint for sensitive projects by configuring role‑based access controls or removing the feature from the user interface.
  • Enable detailed audit logging for duplicateProjects operations and regularly review logs for any unauthorized task duplication attempts.

Generated by OpenCVE AI on April 18, 2026 at 12:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*
Vendors & Products Kanboard
Kanboard kanboard

Fri, 13 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.
Title Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T15:32:51.222Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25531

cve-icon Vulnrichment

Updated: 2026-02-13T15:32:45.436Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T15:15:57.990

Modified: 2026-02-13T20:43:30.620

Link: CVE-2026-25531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses