{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kanboard--1.2.52/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-58660"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kanboard (\u003c= 1.2.52)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","privilege-escalation","data-manipulation","kanboard"],"_cs_type":"advisory","_cs_vendors":["Kanboard"],"content_html":"\u003cp\u003eCVE-2026-58660 identifies a significant vulnerability in Kanboard versions through 1.2.52, which was subsequently addressed in commit 564cc30. This flaw resides within the \u003ccode\u003eBoardAjaxController save()\u003c/code\u003e method, utilized by the kanban board's drag-and-drop functionality. While the system correctly validates the caller's role based on the \u003ccode\u003eproject_id\u003c/code\u003e supplied by the attacker, it critically fails to verify that the provided \u003ccode\u003etask_id\u003c/code\u003e actually belongs to that specific project. Since \u003ccode\u003etask_id\u003c/code\u003e values are sequential integers shared across the entire Kanboard instance, any authenticated user who is a member of at least one project can exploit this vulnerability. This enables them to enumerate, move, corrupt, or hide tasks belonging to \u003cem\u003eany\u003c/em\u003e other project on the same instance, including private projects for which they have no assigned membership or role.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user successfully logs into a vulnerable Kanboard instance.\u003c/li\u003e\n\u003cli\u003eThe user identifies a \u003ccode\u003eproject_id\u003c/code\u003e for which they possess legitimate membership or roles.\u003c/li\u003e\n\u003cli\u003eThe user enumerates or identifies a target \u003ccode\u003etask_id\u003c/code\u003e belonging to a victim project where they lack authorization, leveraging the sequential nature of task identifiers.\u003c/li\u003e\n\u003cli\u003eThe user crafts a malicious HTTP request targeting the \u003ccode\u003eBoardAjaxController save()\u003c/code\u003e method, typically associated with the kanban board drag-and-drop endpoint.\u003c/li\u003e\n\u003cli\u003eThis request includes the legitimate \u003ccode\u003eproject_id\u003c/code\u003e (where the user has privileges) and the target \u003ccode\u003etask_id\u003c/code\u003e (from the victim project).\u003c/li\u003e\n\u003cli\u003eThe Kanboard server processes the request, validating the user's roles against the supplied \u003ccode\u003eproject_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCrucially, the server fails to perform a secondary validation step to confirm if the provided \u003ccode\u003etask_id\u003c/code\u003e is genuinely associated with the \u003ccode\u003eproject_id\u003c/code\u003e it was supplied with.\u003c/li\u003e\n\u003cli\u003eThe server then executes the task manipulation operation (e.g., move, update status) on the task from the victim project, resulting in unauthorized data manipulation or hiding.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-58660 allows an authenticated attacker to gain unauthorized access to and manipulate tasks across an entire Kanboard instance. This includes the ability to enumerate all task IDs, move tasks between projects, corrupt task data, or hide tasks from their legitimate owners, even in private projects where the attacker has no explicit membership. This can lead to significant data integrity issues, disruption of project workflows, unauthorized information disclosure, and potential for denial of service through widespread data corruption. The vulnerability has a CVSS v3.1 Base Score of 8.1, indicating a high severity risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-58660 immediately by updating Kanboard to a version containing commit 564cc30 or newer.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual activity targeting the \u003ccode\u003eBoardAjaxController save()\u003c/code\u003e method, specifically looking for anomalous \u003ccode\u003etask_id\u003c/code\u003e values submitted by legitimate users that do not correlate with tasks within their authorized projects (requires application-specific logging).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:23:48Z","date_published":"2026-07-15T18:23:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-kanboard-cve-2026-58660/","summary":"A high-severity vulnerability, CVE-2026-58660, in Kanboard versions up to 1.2.52 allows any authenticated user to enumerate, move, corrupt, or hide tasks belonging to any project on the same instance, including private projects, due to improper validation in the BoardAjaxController save() method.","title":"Kanboard Vulnerability CVE-2026-58660 Allows Cross-Project Task Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-07-kanboard-cve-2026-58660/"}],"language":"en","title":"CraftedSignal Threat Feed - Kanboard (\u003c= 1.2.52)","version":"https://jsonfeed.org/version/1.1"}