{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29056", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T17:50:11.244Z", "datePublished": "2026-03-18T01:56:19.315Z", "dateUpdated": "2026-03-18T14:01:17.860Z"}, "containers": {"cna": {"title": "Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin", "problemTypes": [{"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x"}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"version": "< 1.2.51", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T01:56:19.315Z"}, "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue."}], "source": {"advisory": "GHSA-2jvj-q44v-6p3x", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:01:14.632601Z", "id": "CVE-2026-29056", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:01:17.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29056", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T14:01:14.632601Z"}}}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:01:06.511Z"}}], "cna": {"title": "Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin", "source": {"advisory": "GHSA-2jvj-q44v-6p3x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "kanboard", "product": "kanboard", "versions": [{"status": "affected", "version": "< 1.2.51"}]}], "references": [{"url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x", "name": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T01:56:19.315Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29056", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:01:17.860Z", "dateReserved": "2026-03-03T17:50:11.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T01:56:19.315Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*", "matchCriteriaId": "072A459D-CB3E-4256-ACB0-F83BE3E0B89A", "versionEndExcluding": "1.2.51", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue."}, {"lang": "es", "value": "Kanboard es un software de gesti\u00f3n de proyectos centrado en la metodolog\u00eda Kanban. Antes de la versi\u00f3n 1.2.51, el endpoint de registro de invitaci\u00f3n de usuario de Kanboard (UserInviteController::register()) aceptaba todos los par\u00e1metros POST y los pasaba a UserModel::create() sin filtrar el campo role. Un atacante que recibe un enlace de invitaci\u00f3n puede inyectar role=app-admin en el formulario de registro para crear una cuenta de administrador. La versi\u00f3n 1.2.51 corrige el problema."}], "id": "CVE-2026-29056", "lastModified": "2026-03-18T19:40:48.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T02:16:24.407", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.51)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "kanboard", "source": "cna", "vendor": "kanboard"}, "product": "kanboard", "vendor": "kanboard"}], "analysis": {"en": {"generated_at": "2026-03-18T20:24:39.506005+00:00", "value": {"mitigation_remediation": ["Upgrade Kanboard to version 1.2.51 or later. ", "If upgrading is not possible immediately, implement a temporary change that removes the role field from the invite registration form or validates role values. ", "Audit invite usage and monitor for unauthorized admin accounts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Mass Assignment"}, "threat_synthesis": {"affected_systems": "Versions of Kanboard before 1.2.51 are affected. The official fix resides in release 1.2.51; any deployment of 1.2.50 or earlier that exposes the invite registration endpoint is vulnerable. The affected product is the Kanboard project management software provided by the vendor kanboard.", "description_and_impact": "Kanboard's user invite registration endpoint (UserInviteController::register()) processes all POST parameters and forwards them to UserModel::create() without filtering the role attribute. As a result, an attacker who obtains an invite link can submit a form with role=app-admin and create an account with full administrator privileges. This privilege escalation allows the attacker to configure boards, create projects, and alter system settings, effectively compromising the entire platform. The weakness is a Mass Assignment flaw (CWE-915).", "risk_and_exploitability": "With a CVSS score of 7, the vulnerability is considered moderate to high severity. The EPSS score is <1%, indicating that it is unlikely to be widely exploited at present, and it is not cataloged in the CISA KEV list. The exploit requires an attacker to obtain or guess a valid invite link and then submit a crafted registration request, suggesting a user\u2011initiated web form attack. No network\u2011level access is required beyond the ability to reach the public invite URL."}}}}, "created": "2026-03-18T10:42:03.765833+00:00", "updated": "2026-03-24T10:59:33.221647+00:00", "vendors": ["kanboard", "kanboard$PRODUCT$kanboard"]}