Description
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kanboard versions up to 1.2.52 contain a flaw in UserViewController::removeSession that does not validate the session ID supplied by the requester before passing it to RememberMeSessionModel::remove. As a result, any authenticated user can delete session IDs belonging to other users, including administrators, causing those users to be forced to re-authenticate and disrupting their access. This flaw is a session fixation weakness (CWE-639) and primarily leads to denial of service by removing persistent login sessions.

Affected Systems

Vulnerable are installations of Kanboard with versions 1.2.52 or earlier, provided by the vendor Kanboard. The patch that removes the issue is included in commit 928c68aa2b7c00092dd71084d329b912e229f3d1 and is available in releases after 1.2.52.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, the public exploitation likelihood is uncertain, but the flaw would be easy to use once an attacker has an authenticated session. The path to exploitation requires an attacker to possess valid credentials and then submit crafted session IDs to the deletion endpoint. Once exploited, the denial of service can affect any user, including administrators, leading to service disruption for the affected Kanboard instance.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kanboard to a patched version that includes commit 928c68a or apply the patch manually to enforce session ID validation.
  • Restrict the session deletion functionality to users with administrative privileges to limit potential misuse.
  • Enable audit logging for session removal requests so that any unauthorized attempts can be detected and investigated.

Generated by OpenCVE AI on June 25, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Kanboard
Kanboard kanboard
Vendors & Products Kanboard
Kanboard kanboard

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
Title Kanboard - Cross-User Deletion of Persistent Login Sessions via Unvalidated Session ID
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Kanboard Kanboard
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T21:34:23.469Z

Reserved: 2026-06-23T01:22:22.571Z

Link: CVE-2026-56774

cve-icon Vulnrichment

Updated: 2026-06-25T20:30:44.600Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:45:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key