{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25924", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.785Z", "datePublished": "2026-02-11T20:43:19.575Z", "dateUpdated": "2026-02-12T21:18:27.186Z"}, "containers": {"cna": {"title": "Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f"}, {"name": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4"}, {"name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "< 1.2.50", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T20:43:19.575Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50."}], "source": {"advisory": "GHSA-grch-p7vf-vc4f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T21:18:20.841412Z", "id": "CVE-2026-25924", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:18:27.186Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25924", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-12T21:18:20.841412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T21:18:24.572Z"}}], "cna": {"title": "Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE", "source": {"advisory": "GHSA-grch-p7vf-vc4f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "< 1.2.50"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4", "name": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "name": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-11T20:43:19.575Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25924", "state": "PUBLISHED", "dateUpdated": "2026-02-12T21:18:27.186Z", "dateReserved": "2026-02-09T16:22:17.785Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-11T20:43:19.575Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1B88FC0-3CFD-4A8C-A9E4-9AAF4F1D51EE", "versionEndExcluding": "1.2.50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50."}], "id": "CVE-2026-25924", "lastModified": "2026-02-13T21:30:01.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-11T21:16:19.283", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kanboard/kanboard/commit/b9ada89b1a64034612fc4262b88c42458c0d6ee4"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/kanboard/kanboard/releases/tag/v1.2.50"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-grch-p7vf-vc4f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.50)"}}], "product": "kanboard", "vendor": "kanboard"}], "analysis": {"en": {"generated_at": "2026-04-17T20:13:40.775139+00:00", "value": {"mitigation_remediation": ["Upgrade Kanboard to version 1.2.50 or later to apply the vendor fix.", "If an upgrade is temporarily infeasible, set PLUGIN_INSTALLER to false and verify that the backend installation endpoint is not accessible. This limits the attack surface but does not remove the underlying code issue.", "Implement network or application\u2011level controls to block calls to the plugin\u2011installer endpoint from untrusted sources.", "Regularly audit server logs and Kanboard activity for unexpected plugin installation events to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any installation of Kanboard older than version 1.2.50 is vulnerable. The affected product is Kanboard project management software. All installations that allow an administrator to authenticate are at risk, regardless of the deployment environment. The vulnerability is mitigated by upgrading to version 1.2.50 or later.", "description_and_impact": "Kanboard, a Kanban\u2011focused project management tool, contains a security control bypass that permits an authenticated administrator to install arbitrary plugins without proper access checks. The backend endpoint responsible for plugin installation does not respect the PLUGIN_INSTALLER configuration flag, enabling the server to download and install a malicious plugin, thus providing full Remote Code Execution. The flaw is classified as a Missing Access Control (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 8.5 indicates a high impact, while the EPSS probability is < 1%, suggesting the exploit is unlikely to be widely used at present. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate as an administrator; from that position they can exploit the unprotected plugin\u2011installation endpoint to execute arbitrary code on the server."}}}}, "created": "2026-02-12T09:03:19.772234+00:00", "updated": "2026-04-17T20:15:27.006757+00:00", "vendors": ["kanboard", "kanboard$PRODUCT$kanboard"]}