No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on. | |
| Title | Kanboard BoardAjaxController Missing Ownership Check via Drag-and-Drop | |
| First Time appeared |
Kanboard
Kanboard kanboard |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Kanboard
Kanboard kanboard |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T17:54:24.732Z
Reserved: 2026-07-01T21:54:37.946Z
Link: CVE-2026-58660
Updated: 2026-07-15T17:54:19.443Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:30:06Z
-
CWE-639
Authorization Bypass Through User-Controlled Key