CVE-2026-58660

NameCVE-2026-58660
DescriptionKanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kanboard (PTS)sid1.2.51+ds-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kanboardsource(unstable)(unfixed)

Notes

https://github.com/kanboard/kanboard/issues/5852
https://github.com/kanboard/kanboard/pull/5853
Fixed by: https://github.com/kanboard/kanboard/commit/564cc30e1e360959572e01e158734d9475c05903

Search for package or bug name: Reporting problems