Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.
Published: 2026-03-18
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Mass Assignment
Action: Immediate Patch
AI Analysis

Impact

Kanboard's user invite registration endpoint (UserInviteController::register()) processes all POST parameters and forwards them to UserModel::create() without filtering the role attribute. As a result, an attacker who obtains an invite link can submit a form with role=app-admin and create an account with full administrator privileges. This privilege escalation allows the attacker to configure boards, create projects, and alter system settings, effectively compromising the entire platform. The weakness is a Mass Assignment flaw (CWE-915).

Affected Systems

Versions of Kanboard before 1.2.51 are affected. The official fix resides in release 1.2.51; any deployment of 1.2.50 or earlier that exposes the invite registration endpoint is vulnerable. The affected product is the Kanboard project management software provided by the vendor kanboard.

Risk and Exploitability

With a CVSS score of 7, the vulnerability is considered moderate to high severity. The EPSS score is <1%, indicating that it is unlikely to be widely exploited at present, and it is not cataloged in the CISA KEV list. The exploit requires an attacker to obtain or guess a valid invite link and then submit a crafted registration request, suggesting a user‑initiated web form attack. No network‑level access is required beyond the ability to reach the public invite URL.

Generated by OpenCVE AI on March 18, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.51 or later.
  • If upgrading is not possible immediately, implement a temporary change that removes the role field from the invite registration form or validates role values.
  • Audit invite usage and monitor for unauthorized admin accounts.

Generated by OpenCVE AI on March 18, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Wed, 18 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.
Title Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:P'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:01:17.860Z

Reserved: 2026-03-03T17:50:11.244Z

Link: CVE-2026-29056

cve-icon Vulnrichment

Updated: 2026-03-18T14:01:06.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:24.407

Modified: 2026-03-18T19:40:48.907

Link: CVE-2026-29056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:33Z

Weaknesses