CVE-2026-33058
Authenticated SQL Injection in Kanboard Allows Full Database Dump
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kanboard | kanboard | to 1.2.51 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33058 is a high-severity authenticated SQL injection vulnerability in Kanboard project management software versions up to 1.2.50. It occurs because the system does not properly sanitize the `external_id_column` parameter in the project permissions handler, specifically in the `addUser` method accessible via the `/project/N/permissions` endpoint.
Authenticated users who have permission to add users to a project can exploit this flaw by injecting arbitrary SQL code through the `external_id_column` parameter. This is possible because the sanitization method prematurely returns the input unchanged if it contains spaces or dots, allowing SQL injection.
Exploitation allows attackers to dump the entire Kanboard database, extract sensitive information such as admin API keys, and escalate their privileges to administrator roles. The vulnerability is fixed in Kanboard version 1.2.51.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full disclosure of the Kanboard database contents to an attacker with limited permissions.
- Attackers can extract sensitive data such as user information and admin API keys.
- It enables privilege escalation, allowing attackers to gain administrator access.
- The attack requires only low privileges (permission to add users to a project) and no user interaction, making it easier to exploit.
- Confidentiality of the system is highly impacted, while integrity impact is low and availability is not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `/project/N/permissions` endpoint where the `external_id_column` POST parameter is used. Since the flaw involves an authenticated SQL injection, detection requires an authenticated user with permission to add users to a project.
One practical approach is to use automated SQL injection detection tools such as SQLMap targeting the `external_id_column` parameter to verify if injection is possible.
- Use SQLMap with authentication cookies and POST data to test the `external_id_column` parameter for SQL injection.
- Manually send crafted POST requests to `/project/N/permissions` with payloads in `external_id_column` containing SQL injection patterns to observe if the database responds abnormally.
A proof-of-concept Python script exists that automates this detection by retrieving CSRF tokens and sending blind SQL injection payloads to extract data, which can be adapted for detection purposes.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Kanboard to version 1.2.51 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, restrict permissions so that only fully trusted users have the ability to add users to projects, as the vulnerability requires this permission.
Monitor and audit the use of the `/project/N/permissions` endpoint for suspicious activity, especially POST requests modifying the `external_id_column` parameter.
Consider implementing additional web application firewall (WAF) rules to detect and block SQL injection attempts targeting this parameter.