Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.
Published: 2026-02-11
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Kanboard, a Kanban‑focused project management tool, contains a security control bypass that permits an authenticated administrator to install arbitrary plugins without proper access checks. The backend endpoint responsible for plugin installation does not respect the PLUGIN_INSTALLER configuration flag, enabling the server to download and install a malicious plugin, thus providing full Remote Code Execution. The flaw is classified as a Missing Access Control (CWE‑863).

Affected Systems

Any installation of Kanboard older than version 1.2.50 is vulnerable. The affected product is Kanboard project management software. All installations that allow an administrator to authenticate are at risk, regardless of the deployment environment. The vulnerability is mitigated by upgrading to version 1.2.50 or later.

Risk and Exploitability

The CVSS score of 8.5 indicates a high impact, while the EPSS probability is < 1%, suggesting the exploit is unlikely to be widely used at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate as an administrator; from that position they can exploit the unprotected plugin‑installation endpoint to execute arbitrary code on the server.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.50 or later to apply the vendor fix.
  • If an upgrade is temporarily infeasible, set PLUGIN_INSTALLER to false and verify that the backend installation endpoint is not accessible. This limits the attack surface but does not remove the underlying code issue.
  • Implement network or application‑level controls to block calls to the plugin‑installer endpoint from untrusted sources.
  • Regularly audit server logs and Kanboard activity for unexpected plugin installation events to detect potential exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Wed, 11 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.
Title Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:18:27.186Z

Reserved: 2026-02-09T16:22:17.785Z

Link: CVE-2026-25924

cve-icon Vulnrichment

Updated: 2026-02-12T21:18:24.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T21:16:19.283

Modified: 2026-02-13T21:30:01.447

Link: CVE-2026-25924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses