CVE-2026-25531 – This vulnerability allows authenticated Kanboar... (How to Fix)

Q: What is the severity of CVE-2026-25531?

CVE-2026-25531 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated Kanboard users to duplicate tasks into projects they shouldn't have access to, bypassing permission controls. It affects Kanboard installations before version 1.2.50 where users have authenticated access. This is an incomplete fix for a previous authorization vulnerability.

📋 TL;DR

This vulnerability allows authenticated Kanboard users to duplicate tasks into projects they shouldn't have access to, bypassing permission controls. It affects Kanboard installations before version 1.2.50 where users have authenticated access. This is an incomplete fix for a previous authorization vulnerability.

💻 Affected Systems

Products:

Kanboard

Versions: All versions before 1.2.50

Operating Systems: All supported platforms (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations where the TaskCreationController::duplicateProjects() endpoint is accessible to authenticated users.

📦 What is this software?

Kanboard by Kanboard

View all CVEs affecting Kanboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious authenticated users could duplicate sensitive tasks into unauthorized projects, potentially exposing confidential project information or disrupting project workflows.

🟠

Likely Case

Users accidentally or intentionally duplicating tasks into projects they shouldn't access, causing data leakage and project management confusion.

🟢

If Mitigated

With proper project access controls and monitoring, impact is limited to minor data integrity issues within authorized project boundaries.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are vulnerable if attackers obtain authenticated access, but exploitation requires valid credentials.

🏢 Internal Only: MEDIUM - Internal users with malicious intent or accidental misuse could exploit this vulnerability within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of project/task IDs. The vulnerability is straightforward to exploit once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.50

Vendor Advisory: https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9

Restart Required: Yes

Instructions:

1. Backup your Kanboard database and files. 2. Download Kanboard 1.2.50 or later from the official repository. 3. Replace existing installation files with new version. 4. Restart your web server. 5. Verify functionality.

🔧 Temporary Workarounds

Disable task duplication feature

all

Remove or restrict access to the duplicateProjects endpoint via web server configuration or application modifications.

# Example for Apache: RewriteRule ^/index.php\?controller=TaskCreationController&action=duplicateProjects - [F]
# Example for Nginx: location ~* duplicateProjects { return 403; }

Implement additional permission checks

all

Add custom middleware or modify application code to validate user permissions for target projects before allowing task duplication.

# Requires modifying Kanboard source code to add permission validation in TaskCreationController

🧯 If You Can't Patch

Implement strict project access controls and monitor for unusual task duplication activity
Restrict user permissions to minimize potential impact and audit all user access levels

🔍 How to Verify

Check if Vulnerable:

Check Kanboard version in admin panel or by examining the application files. Versions below 1.2.50 are vulnerable.

Check Version:

Check Kanboard version in Settings > About or examine app/constants.php for version information

Verify Fix Applied:

After upgrading to 1.2.50+, test that authenticated users cannot duplicate tasks into projects they lack access to.

📡 Detection & Monitoring

Log Indicators:

Multiple task duplication events from same user
Task duplication attempts to projects user shouldn't access
Unusual task creation patterns in audit logs

Network Indicators:

POST requests to duplicateProjects endpoint with different project IDs
Unusual API call patterns to task creation endpoints

SIEM Query:

source="kanboard" AND (action="duplicate" OR endpoint="duplicateProjects") | stats count by user, target_project

📊 Metadata

CVE ID: CVE-2026-25531

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.03% exploit probability (6.3th percentile)

Published: February 13, 2026

Last Updated: February 13, 2026

🔗 References

https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d Patch
https://github.com/kanboard/kanboard/releases/tag/v1.2.50 Product,Release Notes
https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9 Exploit,Vendor Advisory,Mitigation

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25531, you might also want to check these: