{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25530", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.373Z", "datePublished": "2026-02-10T16:47:58.617Z", "dateUpdated": "2026-02-10T17:06:13.410Z"}, "containers": {"cna": {"title": "Kanboard is missing authorization check in getSwimlane API allows cross-project data access", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-6rxw-vvvj-r93q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-6rxw-vvvj-r93q"}, {"name": "https://github.com/kanboard/kanboard/commit/c3d8d20e05322b09e036fed7afb57194d624a414", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/commit/c3d8d20e05322b09e036fed7afb57194d624a414"}, {"name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "< 1.2.50", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T16:47:58.617Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50."}], "source": {"advisory": "GHSA-6rxw-vvvj-r93q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T17:06:05.211963Z", "id": "CVE-2026-25530", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:06:13.410Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25530", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T17:06:05.211963Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T17:06:09.670Z"}}], "cna": {"title": "Kanboard is missing authorization check in getSwimlane API allows cross-project data access", "source": {"advisory": "GHSA-6rxw-vvvj-r93q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "< 1.2.50"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-6rxw-vvvj-r93q", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-6rxw-vvvj-r93q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kanboard/kanboard/commit/c3d8d20e05322b09e036fed7afb57194d624a414", "name": "https://github.com/kanboard/kanboard/commit/c3d8d20e05322b09e036fed7afb57194d624a414", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-10T16:47:58.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25530", "state": "PUBLISHED", "dateUpdated": "2026-02-10T17:06:13.410Z", "dateReserved": "2026-02-02T19:59:47.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-10T16:47:58.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE", "versionEndExcluding": "1.2.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, the getSwimlane API method lacks project-level authorization, allowing authenticated users to access swimlane data from projects they cannot access. This vulnerability is fixed in 1.2.50."}], "id": "CVE-2026-25530", "lastModified": "2026-02-13T20:21:29.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-10T17:16:21.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kanboard/kanboard/commit/c3d8d20e05322b09e036fed7afb57194d624a414"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-6rxw-vvvj-r93q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.50)"}}], "product": "kanboard", "vendor": "kanboard"}], "analysis": {"en": {"generated_at": "2026-04-17T20:46:10.058372+00:00", "value": {"mitigation_remediation": ["Upgrade Kanboard to version 1.2.50 or later, which adds the missing authorization check to the getSwimlane API.", "Review and ensure user permissions restrict access to projects accordingly, preventing unauthorized cross\u2011project data disclosure.", "Monitor authentication logs for unusual API usage patterns that may indicate attempts to access multiple projects."], "summary": {"action": "Apply patch", "impact": "Unauthorized data disclosure"}, "threat_synthesis": {"affected_systems": "Kanboard project\u2011management software, product kanboard produced by kanboard, is affected. Any installation running a version prior to 1.2.50 is vulnerable. The patch was released in version 1.2.50.", "description_and_impact": "The vulnerability arises because the getSwimlane API method in Kanboard does not enforce project-level authorization checks. An authenticated user can invoke the API and retrieve swimlane data from any project, including those they should not be able to view. This results in the disclosure of confidential project information to unauthorized users. The weakness is classified as CWE-639, which describes an authorization bypass through user\u2011controlled input.", "risk_and_exploitability": "The CVSS score for this issue is 4.3, indicating a medium impact. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. It is not present in the CISA KEV catalog. Because the flaw requires an authenticated user, an attacker would need valid credentials or exploit a legitimate login process to provoke the cross\u2011project data retrieval."}}}}, "created": "2026-02-10T21:42:01.173261+00:00", "updated": "2026-04-17T21:00:12.679904+00:00", "vendors": ["kanboard", "kanboard$PRODUCT$kanboard"]}