CVE-2026-29056
Privilege Escalation in Kanboard via Unrestricted Role Injection
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29056 is a high-severity privilege escalation vulnerability in Kanboard versions up to 1.2.50. It occurs because the user invite registration endpoint accepts all POST parameters, including the 'role' field, without filtering them out."}, {'type': 'paragraph', 'content': "An attacker who receives an invite link can inject 'role=app-admin' in the registration form, which allows them to create an administrator account. This happens because the registration method passes all user input directly to the user creation function without excluding the 'role' parameter."}, {'type': 'paragraph', 'content': "The vulnerability is due to improper handling of user role assignment during registration, specifically a lack of whitelisting or filtering of allowed fields, leading to mass assignment of the 'role' attribute."}] [1]
How can this vulnerability impact me? :
This vulnerability allows any invited user to escalate their privileges to an administrator by manipulating the registration data.
With administrator privileges, an attacker can gain full control over the Kanboard instance.
Furthermore, this privilege escalation can be combined with other vulnerabilities, such as remote code execution vectors, to achieve full remote code execution on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP POST requests to the user invite registration endpoint and checking for the presence of the 'role' parameter in the submitted data."}, {'type': 'paragraph', 'content': "Specifically, inspecting POST requests to the UserInviteController::register() endpoint for any attempts to set 'role=app-admin' or other elevated roles can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'You can use network traffic inspection tools or web server logs to identify such requests.'}, {'type': 'list_item', 'content': "Using command-line tools like 'grep' on web server access logs to find POST requests containing 'role=app-admin', e.g.:"}, {'type': 'list_item', 'content': "grep 'POST' /var/log/nginx/access.log | grep 'role=app-admin'"}, {'type': 'list_item', 'content': "Using packet capture tools like 'tcpdump' or 'Wireshark' to filter HTTP POST data containing 'role=app-admin'."}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'role=app-admin'"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Kanboard to version 1.2.51 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, a temporary workaround is to modify the UserInviteController::register() method to explicitly remove the \'role\' field from the POST data before user creation, for example by adding \'unset($values["role"]);\' in the code.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to invite links and audit user registrations for unexpected administrator accounts.'}] [1]