CVE-2026-33058

Received Received - Intake

Authenticated SQL Injection in Kanboard Allows Full Database Dump

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description

Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-18

Last Modified

2026-03-18

Generated

2026-06-16

AI Q&A

2026-03-18

EPSS Evaluated

2026-06-15

NVD

CVE-2026-33058

EUVD

EUVD-2026-12759

Affected Vendors & Products

Vendor	Product	Version / Range
kanboard	kanboard	to 1.2.51 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-33058 is a high-severity authenticated SQL injection vulnerability in Kanboard project management software versions up to 1.2.50. It occurs because the system does not properly sanitize the `external_id_column` parameter in the project permissions handler, specifically in the `addUser` method accessible via the `/project/N/permissions` endpoint.

Authenticated users who have permission to add users to a project can exploit this flaw by injecting arbitrary SQL code through the `external_id_column` parameter. This is possible because the sanitization method prematurely returns the input unchanged if it contains spaces or dots, allowing SQL injection.

Exploitation allows attackers to dump the entire Kanboard database, extract sensitive information such as admin API keys, and escalate their privileges to administrator roles. The vulnerability is fixed in Kanboard version 1.2.51.

Impact Analysis

This vulnerability can have severe impacts including full disclosure of the Kanboard database contents to an attacker with limited permissions.

Attackers can extract sensitive data such as user information and admin API keys.
It enables privilege escalation, allowing attackers to gain administrator access.
The attack requires only low privileges (permission to add users to a project) and no user interaction, making it easier to exploit.
Confidentiality of the system is highly impacted, while integrity impact is low and availability is not affected.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing the `/project/N/permissions` endpoint where the `external_id_column` POST parameter is used. Since the flaw involves an authenticated SQL injection, detection requires an authenticated user with permission to add users to a project.

One practical approach is to use automated SQL injection detection tools such as SQLMap targeting the `external_id_column` parameter to verify if injection is possible.

Use SQLMap with authentication cookies and POST data to test the `external_id_column` parameter for SQL injection.
Manually send crafted POST requests to `/project/N/permissions` with payloads in `external_id_column` containing SQL injection patterns to observe if the database responds abnormally.

A proof-of-concept Python script exists that automates this detection by retrieving CSRF tokens and sending blind SQL injection payloads to extract data, which can be adapted for detection purposes.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Kanboard to version 1.2.51 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict permissions so that only fully trusted users have the ability to add users to projects, as the vulnerability requires this permission.

Monitor and audit the use of the `/project/N/permissions` endpoint for suspicious activity, especially POST requests modifying the `external_id_column` parameter.

Consider implementing additional web application firewall (WAF) rules to detect and block SQL injection attempts targeting this parameter.

Hi! I’m here to help you understand CVE-2026-33058. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-33058

Authenticated SQL Injection in Kanboard Allows Full Database Dump

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart