CVE-2026-25531
Permission Bypass in Kanboard Task Duplication Allows Unauthorized Access
Publication date: 2026-02-13
Last updated on: 2026-02-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.50 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized duplication of tasks into projects a user cannot access by exploiting the TaskCreationController::duplicateProjects() endpoint in Kanboard versions prior to 1.2.50.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor logs for unusual task duplication activities, especially attempts to duplicate tasks into projects where the user lacks permission.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the application layer, network-level detection might be limited. However, you can look for HTTP POST requests to the endpoint related to task duplication (e.g., URLs invoking duplicateProjects) with project IDs that the user should not have access to.'}, {'type': 'paragraph', 'content': 'Suggested commands include searching your web server or application logs for suspicious POST requests to the duplication endpoint with unexpected project IDs. For example, using grep on logs:'}, {'type': 'list_item', 'content': "grep -i 'duplicateProjects' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -i 'duplicateProjects' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -i 'project_ids' /path/to/kanboard/logs/*.log"}, {'type': 'paragraph', 'content': 'Additionally, review Kanboard application logs for AccessForbiddenException events or anomalies in task duplication operations.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Kanboard to version 1.2.50 or later, where the vulnerability is fixed by adding proper permission checks on all target projects during task duplication.
If immediate upgrade is not possible, consider restricting access to the TaskCreationController::duplicateProjects() endpoint to trusted users only, or disabling task duplication features temporarily.
Review user permissions and audit recent task duplication activities to identify any unauthorized duplications.
Apply the patch that adds permission verification using the projectPermissionModel->isUserAllowed() method before duplicating tasks to target projects, as described in the fix.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability exists in Kanboard project management software prior to version 1.2.50. Specifically, the TaskCreationController::duplicateProjects() endpoint does not properly validate user permissions for the target projects when duplicating tasks. This means that an authenticated user can duplicate tasks into projects they do not have access to, bypassing project access controls.'}, {'type': 'paragraph', 'content': 'The root cause is missing authorization checks on each target project during task duplication. The vulnerable code only checks permissions on the source project but not on the destination projects. This allows unauthorized task injection into restricted projects.'}, {'type': 'paragraph', 'content': "The issue was fixed by adding permission verification for each target project using the projectPermissionModel->isUserAllowed() method combined with the current user's session ID. If the user lacks permission on any target project, the duplication is blocked by throwing an AccessForbiddenException."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user to inject tasks into projects they are not authorized to access. While the user cannot directly access or view those projects, they can manipulate project data by adding tasks.
- Violation of project boundaries and access controls.
- Integrity impact due to unauthorized modification of project data.
- No impact on confidentiality or availability.
The severity is rated moderate with a CVSS v3.1 score of 4.3, indicating a low complexity attack that requires only low privileges and no user interaction.