Source: kanboard Version: 1.2.49+ds-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for kanboard. CVE-2026-24885[0]: | Kanboard is project management software focused on Kanban | methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) | vulnerability exists in the ProjectPermissionController within the | Kanboard application. The application fails to strictly enforce the | application/json Content-Type for the changeUserRole action. | Although the request body is JSON, the server accepts text/plain, | allowing an attacker to craft a malicious form using the text/plain | attribute. Which allows unauthorized modification of project user | roles if an authenticated admin visits a malicious site This | vulnerability is fixed in 1.2.50. CVE-2026-25530[1]: | Kanboard is project management software focused on Kanban | methodology. Prior to 1.2.50, the getSwimlane API method lacks | project-level authorization, allowing authenticated users to access | swimlane data from projects they cannot access. This vulnerability | is fixed in 1.2.50. CVE-2026-25531[2]: No description was found (try on a search engine) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24885 https://www.cve.org/CVERecord?id=CVE-2026-24885 [1] https://security-tracker.debian.org/tracker/CVE-2026-25530 https://www.cve.org/CVERecord?id=CVE-2026-25530 [2] https://security-tracker.debian.org/tracker/CVE-2026-25531 https://www.cve.org/CVERecord?id=CVE-2026-25531 Regards, Salvatore
