Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-29056 is a high-severity privilege escalation vulnerability in Kanboard versions up to 1.2.50. It occurs because the user invite registration endpoint accepts all POST parameters, including the 'role' field, without filtering them out."}, {'type': 'paragraph', 'content': "An attacker who receives an invite link can inject 'role=app-admin' in the registration form, which allows them to create an administrator account. This happens because the registration method passes all user input directly to the user creation function without excluding the 'role' parameter."}, {'type': 'paragraph', 'content': "The vulnerability is due to improper handling of user role assignment during registration, specifically a lack of whitelisting or filtering of allowed fields, leading to mass assignment of the 'role' attribute."}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any invited user to escalate their privileges to an administrator by manipulating the registration data.

With administrator privileges, an attacker can gain full control over the Kanboard instance.

Furthermore, this privilege escalation can be combined with other vulnerabilities, such as remote code execution vectors, to achieve full remote code execution on the server.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP POST requests to the user invite registration endpoint and checking for the presence of the 'role' parameter in the submitted data."}, {'type': 'paragraph', 'content': "Specifically, inspecting POST requests to the UserInviteController::register() endpoint for any attempts to set 'role=app-admin' or other elevated roles can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'You can use network traffic inspection tools or web server logs to identify such requests.'}, {'type': 'list_item', 'content': "Using command-line tools like 'grep' on web server access logs to find POST requests containing 'role=app-admin', e.g.:"}, {'type': 'list_item', 'content': "grep 'POST' /var/log/nginx/access.log | grep 'role=app-admin'"}, {'type': 'list_item', 'content': "Using packet capture tools like 'tcpdump' or 'Wireshark' to filter HTTP POST data containing 'role=app-admin'."}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'role=app-admin'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Kanboard to version 1.2.51 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, a temporary workaround is to modify the UserInviteController::register() method to explicitly remove the \'role\' field from the POST data before user creation, for example by adding \'unset($values["role"]);\' in the code.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to invite links and audit user registrations for unexpected administrator accounts.'}] [1]

Useful 0 Not Useful 0