Unrated severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026

Kanboard LDAP Injection Vulnerability can Lead to User Enumeration and Information Disclosure

CVE-2026-21880

Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.

Affected products

Kanboard/KanboardOSV2 versions
v1.0.0, v1.0.1, v1.0.10, …+ 1 more
- (no CPE)range: v1.0.0, v1.0.1, v1.0.10, …
- (no CPE)range: <=1.2.48

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586mitrex_refsource_MISC
github.com/kanboard/kanboard/releases/tag/v1.2.49mitrex_refsource_MISC
github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000