CVE-2026-56774
Deferred Deferred - Pending Action
Session ID Removal Flaw in Kanboard

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56774
EUVD
EUVD-2026-39526
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kanboard kanboard to 1.2.52 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users to delete other users' persistent login sessions, including administrators, by exploiting an insecure direct object reference (IDOR) flaw. Attackers can mass-invalidate sessions, causing denial of service by forcing re-authentication.

While the vulnerability does not allow full account takeover or data exfiltration, it compromises session integrity and availability, which could impact compliance with standards that require maintaining secure user authentication and session management.

Standards like GDPR and HIPAA emphasize protecting user data and ensuring availability and integrity of systems. This vulnerability could lead to denial of service for users and administrators, potentially violating availability requirements and undermining trust in session security.

Therefore, organizations using affected Kanboard versions may face compliance risks related to session management and availability controls until the vulnerability is patched.

Detection Guidance

This vulnerability involves the ability of authenticated users to delete other users' persistent login sessions by exploiting unvalidated session ID parameters. Detection can focus on monitoring unusual session invalidation patterns or repeated session deletions that do not correspond to the authenticated user's own sessions.

Specifically, you can look for sequential session ID enumeration attempts or mass invalidation of sessions in your Kanboard logs or database.

Commands to detect this might include querying the database for recent session deletions or monitoring web server logs for suspicious requests to the session removal endpoint.

  • Check the 'remember_me' table for sudden drops in session counts or unusual deletion timestamps.
  • Use SQL queries such as: SELECT * FROM remember_me WHERE deletion_timestamp >= 'YYYY-MM-DD HH:MM:SS'; to identify recent deletions.
  • Monitor web server access logs for repeated calls to the session removal endpoint with varying session IDs, e.g., grep 'removeSession' /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c

Since the vulnerability involves unvalidated session ID parameters, any automated or scripted requests enumerating session IDs can be a sign of exploitation attempts.

Mitigation Strategies

The primary mitigation is to update Kanboard to a version that includes the fix for this vulnerability, specifically the commit 928c68a or later.

The fix ensures that session removal is scoped to the owner of the session by validating both the session ID and the authenticated user ID before allowing deletion.

  • Apply the patch or upgrade Kanboard to a version including commit 928c68a.
  • Restrict access to the session removal functionality to only authorized users and ensure proper validation of session ownership.
  • Monitor logs for suspicious session deletion activity until the patch is applied.

If immediate upgrade is not possible, consider implementing additional access controls or temporary workarounds to prevent unauthorized session deletions.

Executive Summary

This vulnerability exists in Kanboard versions up to 1.2.52. The issue is that the UserViewController::removeSession function does not properly validate the session ID parameter before passing it to RememberMeSessionModel::remove. This flaw allows authenticated users to delete other users' persistent 'Remember Me' login sessions.

Attackers can exploit this by enumerating sequential session IDs and mass-invalidating the persistent login sessions of any user, including administrators.

This forces those users to re-authenticate and can cause a denial of service.

Impact Analysis

The vulnerability can impact you by allowing an authenticated attacker to invalidate the persistent login sessions of other users, including administrators.

This forces affected users to re-authenticate, which can disrupt normal operations.

If exploited on a large scale, it can cause a denial of service by mass-invalidating sessions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart