cvedb.io
CVE-2026-24885
MEDIUM · CVSS 5.7
EPSS exploitation probability: 0%
Published 2026-02-10T17:16:20.940 · Last modified 2026-06-17T10:23:44.947

Summary

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.

Affected products

kanboard — kanboard

Does this affect you?

Add your gear to cvedb and we'll alert you only when kanboard ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.