Unrated severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026

Kanboard is Vulnerable to Reverse Proxy Authentication Bypass

CVE-2026-21881

Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.

Affected products

Kanboard/KanboardOSV2 versions
v1.0.0, v1.0.1, v1.0.10, …+ 1 more
- (no CPE)range: v1.0.0, v1.0.1, v1.0.10, …
- (no CPE)range: <=1.2.48

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fcmitrex_refsource_MISC
github.com/kanboard/kanboard/releases/tag/v1.2.49mitrex_refsource_MISC
github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739wmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000