{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T17:24:36.928Z", "datePublished": "2026-01-08T01:08:01.853Z", "dateUpdated": "2026-01-08T17:13:05.216Z"}, "containers": {"cna": {"title": "Kanboard is Vulnerable to Reverse Proxy Authentication Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w"}, {"name": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc"}, {"name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "< 1.2.49", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T01:08:01.853Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49."}], "source": {"advisory": "GHSA-wwpf-3j4p-739w", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T17:13:01.913386Z", "id": "CVE-2026-21881", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T17:13:05.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T17:13:01.913386Z"}}}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T17:12:55.062Z"}}], "cna": {"title": "Kanboard is Vulnerable to Reverse Proxy Authentication Bypass", "source": {"advisory": "GHSA-wwpf-3j4p-739w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "< 1.2.49"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc", "name": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49", "name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T01:08:01.853Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21881", "state": "PUBLISHED", "dateUpdated": "2026-01-08T17:13:05.216Z", "dateReserved": "2026-01-05T17:24:36.928Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T01:08:01.853Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFA1D972-E76A-4A20-95F5-68D9915D3797", "versionEndExcluding": "1.2.49", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49."}], "id": "CVE-2026-21881", "lastModified": "2026-01-20T15:57:22.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T02:15:53.803", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.49"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:48:21.597381+00:00", "value": {"mitigation_remediation": ["Upgrade Kanboard to version 1.2.49 or later", "If upgrading immediately is not possible, disable the REVERSE_PROXY_AUTH configuration until the patch is applied", "Configure the reverse proxy to validate or strip authentication headers and prevent arbitrary header injection"], "summary": {"action": "Apply patch", "impact": "Impersonation via authentication bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kanboard software by the vendor kanboard. All installations using versions 1.2.48 or lower are vulnerable; the issue has been fixed starting with version 1.2.49.", "description_and_impact": "Kanboard project management software versions 1.2.48 and earlier are impacted by an authentication bypass that occurs when REVERSE_PROXY_AUTH is enabled. The application blindly accepts HTTP headers for authentication without verifying the request originates from a trusted reverse proxy. An attacker who can send HTTP requests to the server is able to spoof the authentication header and impersonate any user, including administrators, thereby gaining unauthorized access to the system.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.1, indicating critical severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending a malicious HTTP request with forged authentication headers to a Kanboard instance that has REVERSE_PROXY_AUTH enabled and that accepts the headers as valid. The likely attack vector is an externally reachable server where the attacker can control request headers; no additional local privilege is required. The impact is direct impersonation of any user and elevation of privileges to administrator level."}}}}, "created": "2026-01-08T09:47:39.337675+00:00", "updated": "2026-04-18T08:00:05.784890+00:00", "vendors": ["kanboard", "kanboard$PRODUCT$kanboard"]}