{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25531", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T19:59:47.373Z", "datePublished": "2026-02-13T15:04:24.316Z", "dateUpdated": "2026-02-13T15:32:51.222Z"}, "containers": {"cna": {"title": "Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9"}, {"name": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d"}, {"name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "< 1.2.50", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T15:04:24.316Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50."}], "source": {"advisory": "GHSA-vrm3-3337-whp9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-13T15:32:37.683409Z", "id": "CVE-2026-25531", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T15:32:51.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25531", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-13T15:32:37.683409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T15:32:45.436Z"}}], "cna": {"title": "Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects", "source": {"advisory": "GHSA-vrm3-3337-whp9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "< 1.2.50"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d", "name": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-13T15:04:24.316Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25531", "state": "PUBLISHED", "dateUpdated": "2026-02-13T15:32:51.222Z", "dateReserved": "2026-02-02T19:59:47.373Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-13T15:04:24.316Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE", "versionEndExcluding": "1.2.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50."}], "id": "CVE-2026-25531", "lastModified": "2026-02-13T20:43:30.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-13T15:15:57.990", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kanboard/kanboard/commit/df7b7a21ee071f36466d8b38e40d0b0b8b8d394d"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-vrm3-3337-whp9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.50)"}}], "product": "kanboard", "vendor": "kanboard"}], "analysis": {"en": {"generated_at": "2026-04-18T12:30:46.573713+00:00", "value": {"mitigation_remediation": ["Upgrade Kanboard to version\u202f1.2.50 or later, which includes the full fix for the access\u2011control flaw.", "Restrict or disable the duplicateProjects endpoint for sensitive projects by configuring role\u2011based access controls or removing the feature from the user interface.", "Enable detailed audit logging for duplicateProjects operations and regularly review logs for any unauthorized task duplication attempts."], "summary": {"action": "Patch", "impact": "Unauthorized Data Exposure"}, "threat_synthesis": {"affected_systems": "Kanboard, the open\u2011source Kanban project\u2011management application, is affected in every release before version\u202f1.2.50. The finalized fix that stops this unauthorized duplication was introduced in v1.2.50; earlier releases, including those that carried the incomplete patch for a prior CVE, remain vulnerable.", "description_and_impact": "The TaskCreationController::duplicateProjects() endpoint in Kanboard allows an authenticated user to copy tasks into projects for which they do not have permission, thereby bypassing enforced access controls. This flaw enables the user to expose task details\u2014including identifiers, content, and metadata\u2014that should remain confined to the target project.", "risk_and_exploitability": "With a CVSS score of 4.3 the vulnerability is considered moderate. Its EPSS score is below 1\u202f% and it is not listed in the CISA KEV catalog, indicating a low likelihood of active exploitation. An attacker only needs to be authenticated and possesses the ability to access the source project; no elevated privileges are required. The impact is limited to the ability to read or modify tasks in otherwise protected projects, so overall risk to an organization is modest but remedial action is recommended."}}}}, "created": "2026-02-13T21:28:36.347825+00:00", "updated": "2026-04-18T12:45:45.657800+00:00", "vendors": ["kanboard", "kanboard$PRODUCT$kanboard"]}