Description
Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue.
Published: 2026-03-18
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure via Authenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Kanboard, a project management application, has a vulnerability in its Project Permissions Handler that allows an authenticated user with the right to add members to a project to inject SQL statements. This flaw is an instance of improper input handling (CWE-89) and, if exploited, can give the attacker full visibility into the database contents, effectively compromising the confidentiality of all data stored by Kanboard. The official description states that an attacker "can leverage this vulnerability to dump the entirety of the kanboard database."

Affected Systems

The affected product is Kanboard (cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*). Versions prior to 1.2.51 are vulnerable; version 1.2.51 and later contain the fix. No other vendors or versions were listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.4 classifies this issue as High severity, reflecting the significant impact of a data dump. The EPSS score of <1% indicates that, while the flaw exists, its exploitation probability is relatively low. The vulnerability is not listed in the CISA KEV catalog. Attackers require legitimate access with permission to add users to a project; thus exploitation is facilitated by authenticated access rather than an unauthenticated remote vector. The description does not provide additional exploitation conditions beyond the mentioned permission level.

Generated by OpenCVE AI on March 18, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kanboard to version 1.2.51 or newer to remove the SQL injection flaw.

Generated by OpenCVE AI on March 18, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue.
Title Kanboard has Authenticated SQL Injection in Project Permissions Handler
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:21:18.142Z

Reserved: 2026-03-17T18:10:50.213Z

Link: CVE-2026-33058

cve-icon Vulnrichment

Updated: 2026-03-18T18:18:52.345Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:27.727

Modified: 2026-03-18T17:52:14.303

Link: CVE-2026-33058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:32Z

Weaknesses