CVE-2026-21880

NameCVE-2026-21880
DescriptionKanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1125061

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kanboard (PTS)forky1.2.48+ds-1vulnerable
sid1.2.49+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kanboardsource(unstable)1.2.49+ds-11125061

Notes

https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7
https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586 (v1.2.49)
Search for package or bug name: Reporting problems