Kanboard patches critical authentication bypass and information disclosure flaws
Take action: If possible, ensure your Kanboard instance is isolated from the internet and accessible only via a trusted network or VPN. Then plan a quick patch. If you use reverse proxy authentication, prioritize configuring your web server to strip all identity headers from external requests, since that's the most dangerous attack vector.
Learn More
Kanboard released version 1.2.49 to patch three security vulnerabilities that allow attackers to take over accounts and steal user data.
Vulnerabilities summary:
- CVE-2026-21881 (CVSS score 9.1), is a critical authentication bypass caused when the
REVERSE_PROXY_AUTHconfiguration is active. The application blindly trusts identity information from HTTP headers without verifying if the request came from a trusted reverse proxy. Attackers can exploit this by simply adding a header such asX-Remote-User: adminto a request, an attacker gains full access to the dashboard. This flaw allows for complete system compromise, including the ability to create persistent backdoor accounts, modify system settings, and access all private project tasks and files. - CVE-2026-21880 (CVSS score 5.4) - An LDAP injection flaw where user input is not properly sanitized using
ldap_escape(). Attackers can use wildcards to enumerate all users and discover sensitive attributes like email addresses and full names. - CVE-2026-21879 (CVSS score 4.7) - An open redirect vulnerability that uses protocol-relative URLs (e.g.,
//evil.com) to bypass URL filters. Attackers can trick authenticated users into visiting malicious sites to steal credentials or distribute malware.
Administrators should update to Kanboard 1.2.49 ASAP. If an immediate update is not possible, users should disable REVERSE_PROXY_AUTH in their configuration files. It is also vital to configure web servers like Nginx or Apache to strip any client-supplied authentication headers before they reach the application.
