<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kanboard (&lt;= 1.2.52) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/kanboard--1.2.52/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 18:23:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/kanboard--1.2.52/feed.xml" rel="self" type="application/rss+xml"/><item><title>Kanboard Vulnerability CVE-2026-58660 Allows Cross-Project Task Manipulation</title><link>https://feed.craftedsignal.io/briefs/2026-07-kanboard-cve-2026-58660/</link><pubDate>Wed, 15 Jul 2026 18:23:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-kanboard-cve-2026-58660/</guid><description>A high-severity vulnerability, CVE-2026-58660, in Kanboard versions up to 1.2.52 allows any authenticated user to enumerate, move, corrupt, or hide tasks belonging to any project on the same instance, including private projects, due to improper validation in the BoardAjaxController save() method.</description><content:encoded><![CDATA[<p>CVE-2026-58660 identifies a significant vulnerability in Kanboard versions through 1.2.52, which was subsequently addressed in commit 564cc30. This flaw resides within the <code>BoardAjaxController save()</code> method, utilized by the kanban board's drag-and-drop functionality. While the system correctly validates the caller's role based on the <code>project_id</code> supplied by the attacker, it critically fails to verify that the provided <code>task_id</code> actually belongs to that specific project. Since <code>task_id</code> values are sequential integers shared across the entire Kanboard instance, any authenticated user who is a member of at least one project can exploit this vulnerability. This enables them to enumerate, move, corrupt, or hide tasks belonging to <em>any</em> other project on the same instance, including private projects for which they have no assigned membership or role.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated user successfully logs into a vulnerable Kanboard instance.</li>
<li>The user identifies a <code>project_id</code> for which they possess legitimate membership or roles.</li>
<li>The user enumerates or identifies a target <code>task_id</code> belonging to a victim project where they lack authorization, leveraging the sequential nature of task identifiers.</li>
<li>The user crafts a malicious HTTP request targeting the <code>BoardAjaxController save()</code> method, typically associated with the kanban board drag-and-drop endpoint.</li>
<li>This request includes the legitimate <code>project_id</code> (where the user has privileges) and the target <code>task_id</code> (from the victim project).</li>
<li>The Kanboard server processes the request, validating the user's roles against the supplied <code>project_id</code>.</li>
<li>Crucially, the server fails to perform a secondary validation step to confirm if the provided <code>task_id</code> is genuinely associated with the <code>project_id</code> it was supplied with.</li>
<li>The server then executes the task manipulation operation (e.g., move, update status) on the task from the victim project, resulting in unauthorized data manipulation or hiding.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-58660 allows an authenticated attacker to gain unauthorized access to and manipulate tasks across an entire Kanboard instance. This includes the ability to enumerate all task IDs, move tasks between projects, corrupt task data, or hide tasks from their legitimate owners, even in private projects where the attacker has no explicit membership. This can lead to significant data integrity issues, disruption of project workflows, unauthorized information disclosure, and potential for denial of service through widespread data corruption. The vulnerability has a CVSS v3.1 Base Score of 8.1, indicating a high severity risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-58660 immediately by updating Kanboard to a version containing commit 564cc30 or newer.</li>
<li>Monitor web server access logs for unusual activity targeting the <code>BoardAjaxController save()</code> method, specifically looking for anomalous <code>task_id</code> values submitted by legitimate users that do not correlate with tasks within their authorized projects (requires application-specific logging).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>privilege-escalation</category><category>data-manipulation</category><category>kanboard</category></item></channel></rss>