Your message dated Tue, 17 Feb 2026 02:44:28 +0000
with message-id <[email protected]>
and subject line Bug#1127924: fixed in kanboard 1.2.50+ds-1
has caused the Debian Bug report #1127924,
regarding kanboard: CVE-2026-25924
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127924: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127924
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: kanboard
Version: 1.2.49+ds-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for kanboard.
CVE-2026-25924[0]:
| Kanboard is project management software focused on Kanban
| methodology. Prior to 1.2.50, a security control bypass
| vulnerability in Kanboard allows an authenticated administrator to
| achieve full Remote Code Execution (RCE). Although the application
| correctly hides the plugin installation interface when the
| PLUGIN_INSTALLER configuration is set to false, the underlying
| backend endpoint fails to verify this security setting. An attacker
| can exploit this oversight to force the server to download and
| install a malicious plugin, leading to arbitrary code execution.
| This vulnerability is fixed in 1.2.50.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-25924
https://www.cve.org/CVERecord?id=CVE-2026-25924
[1] https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f
[2]
https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kanboard
Source-Version: 1.2.50+ds-1
Done: Joseph Nahmias <[email protected]>
We believe that the bug you reported is fixed in the latest version of
kanboard, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joseph Nahmias <[email protected]> (supplier of updated kanboard package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Feb 2026 20:25:55 -0500
Source: kanboard
Architecture: source
Version: 1.2.50+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Joseph Nahmias <[email protected]>
Changed-By: Joseph Nahmias <[email protected]>
Closes: 1127694 1127924
Changes:
kanboard (1.2.50+ds-1) unstable; urgency=medium
.
* New upstream version 1.2.50+ds
+ fixes CVE-2026-25924 aka GHSA-grch-p7vf-vc4f
Administrative RCE via Security Control Bypass
+ fixes CVE-2026-24885 aka GHSA-582j-h4w4-hwr5
CSRF in Project Role Assignment
+ fixes CVE-2026-25530 aka GHSA-6rxw-vvvj-r93q
Missing authorization check in getSwimlane API
+ fixes CVE-2026-25531 aka GHSA-vrm3-3337-whp9
TaskCreationController::duplicateProjects() does not
validate permissions
Closes: #1127924, #1127694.
* Rediff patches
Checksums-Sha1:
10d5afb2a329ac256c3147efb5b5ecc66b41766e 2680 kanboard_1.2.50+ds-1.dsc
7f879ccc168278af7a8edb8fb63e814e455eaae4 1077556 kanboard_1.2.50+ds.orig.tar.xz
a6b17bc017225418cd8e975ab8a65de021bdfc1e 21336
kanboard_1.2.50+ds-1.debian.tar.xz
53712e21c0753598425bfaed49e5e05798bb84dc 11895
kanboard_1.2.50+ds-1_amd64.buildinfo
Checksums-Sha256:
755922f6e2b9499de6f17c611969e4a95d6de14ca4f519417b70d1ca52fbd525 2680
kanboard_1.2.50+ds-1.dsc
d4af9db811a17f7170e58b88982edb55532d9ffae2a814e660bc789e321be281 1077556
kanboard_1.2.50+ds.orig.tar.xz
bb2aae6ca91a53694d424b7720ca469aad875c6b8319037a73aa16b76dd26e52 21336
kanboard_1.2.50+ds-1.debian.tar.xz
035f494b31727524f24dfb67e3524ae2d20199b1f7c855a5b4f953cf67c686c2 11895
kanboard_1.2.50+ds-1_amd64.buildinfo
Files:
bd51d5cf4881bbf511d9f5658147c42d 2680 web optional kanboard_1.2.50+ds-1.dsc
33e9978c091cedcb97b6c6bb867e4f6f 1077556 web optional
kanboard_1.2.50+ds.orig.tar.xz
3da9273603c006b06dc550e5985cd143 21336 web optional
kanboard_1.2.50+ds-1.debian.tar.xz
bfd8b2c0d9e190e12a4d0f5ea3a5599b 11895 web optional
kanboard_1.2.50+ds-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcxc7CTsDz7hRCK0UsRvZGQeaO5gFAmmTyygACgkQsRvZGQea
O5hcsw//f1LeE4Ce1e/QfLGf6mHJNuL5iQGjhiSYr8BBQ8CieafXVx9gcOgBcGOp
KVX1iFS+3TDowZT+luX4Uvu3RGaw5xB8BKeRWGeTa5VO7s+SUVqCQ9EL4RJPopoS
03GvEiBxIWZbPkjCt2EXlsAJnpYZIwEkkaR6IKXecUAzBBIBZjj55ZFUbT18BNyK
uL6GSTVlpP6HMiKvhiUDqESvS6VcW7Qp5lGtmvgnbS6JGltZWhG0BQ4geRsbImCb
Lg3aBu2gr5CPaK9hLwHaRocRS2G7tj3vmt8U/XxONNWrVNDPwc9hF1chC6QQvOuA
PdWjDK1XgUt+xpk/p85SsQFMqX2pUxl/Jpcl6fVJMGBHA6nu+uk9xj3q290IJN8x
yrUepeUiJl31N86otLb5lyNIamqDxtDpfWl6Xj1BhqefvaR3bPEw5soEWtSPTgJA
XP7ArGRDs70e9vhWsoj9k3biSVbV7+DRGEwAev1zjf8Qh3gFQ0H6lZeUhShZUSez
2DQvg5tI9J5DqKSsYVQ0PKfJN+3Asutjf9S6FTog46GpSm3MZZltkc3XVtySH5MA
zrKU7c4hsInAhn/fa8bOyqSQZ9rNP8wTlFb0mHD6qYDR/lmo6Ohf4mqFMlGia3C5
3dpVucncG3MPJxA1ibZ+tIwBigT0HVYCY3ILP2FPIDw5sd+FGRM=
=mACv
-----END PGP SIGNATURE-----
pgpHlBKnsTjC9.pgp
Description: PGP signature
--- End Message ---
