๐Ÿ” CVE Alert

CVE-2026-58660

HIGH 8.1

Kanboard BoardAjaxController Missing Ownership Check via Drag-and-Drop

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.

CWE CWE-639
Vendor kanboard
Product kanboard
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for kanboard kanboard

Be the first to know when new high vulnerabilities affecting kanboard kanboard are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Affected Versions

kanboard / kanboard
0 < 1.2.52

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/kanboard/kanboard/issues/5852 github.com: https://github.com/kanboard/kanboard/pull/5853 github.com: https://github.com/kanboard/kanboard/commit/564cc30e1e360959572e01e158734d9475c05903 vulncheck.com: https://www.vulncheck.com/advisories/kanboard-boardajaxcontroller-missing-ownership-check-via-drag-and-drop

Credits

George Chen