Skip to content
Threat Feed
high advisory

Kanboard Vulnerability CVE-2026-58660 Allows Cross-Project Task Manipulation

A high-severity vulnerability, CVE-2026-58660, in Kanboard versions up to 1.2.52 allows any authenticated user to enumerate, move, corrupt, or hide tasks belonging to any project on the same instance, including private projects, due to improper validation in the BoardAjaxController save() method.

CVE-2026-58660 identifies a significant vulnerability in Kanboard versions through 1.2.52, which was subsequently addressed in commit 564cc30. This flaw resides within the BoardAjaxController save() method, utilized by the kanban board's drag-and-drop functionality. While the system correctly validates the caller's role based on the project_id supplied by the attacker, it critically fails to verify that the provided task_id actually belongs to that specific project. Since task_id values are sequential integers shared across the entire Kanboard instance, any authenticated user who is a member of at least one project can exploit this vulnerability. This enables them to enumerate, move, corrupt, or hide tasks belonging to any other project on the same instance, including private projects for which they have no assigned membership or role.

Attack Chain

  1. An authenticated user successfully logs into a vulnerable Kanboard instance.
  2. The user identifies a project_id for which they possess legitimate membership or roles.
  3. The user enumerates or identifies a target task_id belonging to a victim project where they lack authorization, leveraging the sequential nature of task identifiers.
  4. The user crafts a malicious HTTP request targeting the BoardAjaxController save() method, typically associated with the kanban board drag-and-drop endpoint.
  5. This request includes the legitimate project_id (where the user has privileges) and the target task_id (from the victim project).
  6. The Kanboard server processes the request, validating the user's roles against the supplied project_id.
  7. Crucially, the server fails to perform a secondary validation step to confirm if the provided task_id is genuinely associated with the project_id it was supplied with.
  8. The server then executes the task manipulation operation (e.g., move, update status) on the task from the victim project, resulting in unauthorized data manipulation or hiding.

Impact

Successful exploitation of CVE-2026-58660 allows an authenticated attacker to gain unauthorized access to and manipulate tasks across an entire Kanboard instance. This includes the ability to enumerate all task IDs, move tasks between projects, corrupt task data, or hide tasks from their legitimate owners, even in private projects where the attacker has no explicit membership. This can lead to significant data integrity issues, disruption of project workflows, unauthorized information disclosure, and potential for denial of service through widespread data corruption. The vulnerability has a CVSS v3.1 Base Score of 8.1, indicating a high severity risk.

Recommendation

  • Patch CVE-2026-58660 immediately by updating Kanboard to a version containing commit 564cc30 or newer.
  • Monitor web server access logs for unusual activity targeting the BoardAjaxController save() method, specifically looking for anomalous task_id values submitted by legitimate users that do not correlate with tasks within their authorized projects (requires application-specific logging).