CVE-2026-25531

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d	Patch
https://github.com/kanboard/kanboard/releases/tag/v1.2.50	Product Release Notes
https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-13 15:15

Updated : 2026-02-13 20:43

NVD link : CVE-2026-25531

Mitre link : CVE-2026-25531

CVE.ORG link : CVE-2026-25531

JSON object : View

Products Affected

kanboard

kanboard

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-25531", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-13T15:15:57.990", "references": [{"url": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50."}, {"lang": "es", "value": "Kanboard es un software de gesti\u00f3n de proyectos enfocado en la metodolog\u00eda Kanban. Antes de 1.2.50, la correcci\u00f3n para CVE-2023-33968 es incompleta. El endpoint TaskCreationController::duplicateProjects() no valida los permisos de usuario para los proyectos de destino, permitiendo a los usuarios autenticados duplicar tareas en proyectos a los que no pueden acceder. Esta vulnerabilidad est\u00e1 corregida en 1.2.50."}], "lastModified": "2026-02-13T20:43:30.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE", "versionEndExcluding": "1.2.50"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}