CVE-2026-21880
LDAP Injection in Kanboard Allows LDAP User Enumeration
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.49 (exc) |
| kanboard | kanboard | to 1.2.48 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21880 is an LDAP injection vulnerability in Kanboard versions 1.2.48 and below. The vulnerability occurs because user-supplied input is directly inserted into LDAP search filters without proper sanitization. This allows attackers to inject LDAP metacharacters into the filter, enabling them to enumerate all LDAP users, discover sensitive user attributes like usernames and emails, and perform targeted attacks against specific accounts. The issue arises from the lack of escaping special characters in the LDAP filter construction, violating secure coding practices. The vulnerability is fixed in version 1.2.49 by properly escaping user input using the ldap_escape function with the LDAP_ESCAPE_FILTER flag. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to enumerate all LDAP users in your Kanboard instance and access sensitive user attributes such as usernames and email addresses. Although it does not allow authentication bypass, the information disclosure can facilitate targeted attacks against specific user accounts. Attackers can exploit this flaw remotely without any privileges or user interaction, making it a moderate security risk. This could lead to privacy breaches and increased risk of further attacks on your system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring LDAP authentication attempts for unusual LDAP filter patterns that include special characters such as '*', which indicate LDAP injection attempts. Specifically, look for LDAP search filters like '(uid=*)' or '(uid=admin*)' in LDAP server logs. Additionally, testing can be performed by submitting crafted LDAP filter payloads (e.g., username=* or username=admin*) to the Kanboard login page and observing if the server returns all user entries or targeted user information. An exploit script in Python automates this by fetching the CSRF token and sending injection payloads to verify if the LDAP filters are vulnerable. Commands to check LDAP logs depend on your LDAP server but typically include commands like `grep '(uid=*)' /var/log/ldap.log` or equivalent to find suspicious LDAP queries. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade Kanboard to version 1.2.49 or later, where the vulnerability is fixed by properly escaping all user-supplied input in LDAP filters using the `ldap_escape()` function with the `LDAP_ESCAPE_FILTER` flag. If upgrading is not immediately possible, as a temporary measure, restrict access to the LDAP authentication mechanism, monitor and block suspicious LDAP queries, and avoid exposing the Kanboard LDAP login interface to untrusted networks. Applying the patch that escapes LDAP filter inputs prevents injection by treating special characters as literals. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to enumerate LDAP users and discover sensitive user attributes such as usernames and emails, leading to information disclosure. This exposure of sensitive personal data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal information against unauthorized access and disclosure. Therefore, the LDAP injection vulnerability in Kanboard versions up to 1.2.48 poses a risk to compliance with such standards by potentially enabling unauthorized access to sensitive user data. [2]