CVE-2025-52560
📋 TL;DR
Kanboard versions before 1.2.46 have a password reset vulnerability where attackers can craft malicious reset links that leak tokens to attacker-controlled domains. This occurs when the application_url configuration is unset (default), allowing account takeover if victims click poisoned links. All users who initiate password resets without application_url set are affected.
💻 Affected Systems
- Kanboard
📦 What is this software?
Kanboard by Kanboard
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of all users including administrators, leading to full system compromise, data theft, and potential privilege escalation across the Kanboard instance.
Likely Case
Targeted account takeover of specific users through phishing campaigns, resulting in unauthorized access to project data, task manipulation, and potential lateral movement.
If Mitigated
No impact if application_url is properly configured or if users never click malicious password reset links.
🎯 Exploit Status
Exploitation requires tricking users into clicking malicious password reset links, but the vulnerability itself is straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.46
Vendor Advisory: https://github.com/kanboard/kanboard/security/advisories/GHSA-2ch5-gqjm-8p92
Restart Required: Yes
Instructions:
1. Backup your Kanboard installation and database. 2. Download version 1.2.46 from the official repository. 3. Replace all files with the new version. 4. Restart your web server. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
Set application_url configuration
allManually configure the application_url parameter to prevent Host header exploitation
Edit config.php and add: define('APP_URL', 'https://your-kanboard-domain.com');
🧯 If You Can't Patch
- Configure application_url parameter in config.php to prevent Host header exploitation
- Implement network controls to block external access to password reset functionality
🔍 How to Verify
Check if Vulnerable:
Check if Kanboard version is below 1.2.46 and if APP_URL is not defined in config.phpCheck Version:
Check the VERSION file in the Kanboard installation directory or view the footer in the web interfaceVerify Fix Applied:
Confirm version is 1.2.46 or higher and APP_URL is properly configured in config.php📡 Detection & Monitoring
Log Indicators:
- Unusual password reset requests from unexpected IP addresses
- Multiple failed password reset attempts for the same user
Network Indicators:
- HTTP requests with manipulated Host headers to password reset endpoints
SIEM Query:
source="web_server_logs" AND (uri="/?controller=PasswordResetController" OR uri="/?controller=AuthController") AND (status=200 OR status=302) AND NOT host="expected-domain.com"