Unrated severityOSV Advisory· Published Jul 16, 2026
Debian kanboard: Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() met…
CVE-2026-58660
Description
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.
Affected products
3Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.