VYPR
Unrated severityOSV Advisory· Published Jul 16, 2026

Debian kanboard: Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() met…

CVE-2026-58660

Description

Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.

Affected products

3
  • Kanboard/KanboardOSV2 versions
    v1.2.51, v1.2.50, v1.2.49, …+ 1 more
    • (no CPE)range: v1.2.51, v1.2.50, v1.2.49, …
    • (no CPE)range: <=1.2.52
  • Debian/kanboardllm-create
    Range: <=1.2.52

Patches

Vulnerability mechanics

News mentions

0

No linked articles in our index yet.

CVE-2026-58660 · VYPR