GHSA-f95x-r3pv-jh63
Kanboard versions through 1.2.52 contain a vulnerability in the BoardAjaxController save() method where the task_id parameter is not verified to belong to the project identified by project_id. This allows any authenticated user who is a member of at least one project to enumerate and move tasks from other projects, including private ones they are not authorized to access. The issue arises because task identifiers are sequential and shared across the entire instance. The vulnerability was fixed in a commit identified as 564cc30.
AI Analysis
Technical Summary
The vulnerability in Kanboard through version 1.2.52 involves improper authorization checks in the BoardAjaxController save() method used by the kanban board drag-and-drop endpoint. While the method validates the caller's role on the attacker-supplied project_id, it fails to verify that the supplied task_id actually belongs to that project. Since task IDs are sequential integers shared across the instance, an authenticated user with membership in any project can enumerate and manipulate tasks belonging to other projects, including private projects without membership or role. This can lead to unauthorized task movement, corruption, or hiding. The issue is tracked as CVE-2026-58660 and was fixed in commit 564cc30.
Potential Impact
An authenticated user with membership in any project can enumerate and move tasks from any other project on the same Kanboard instance, including private projects they do not belong to. This can result in unauthorized modification, corruption, or hiding of tasks, potentially disrupting project workflows and compromising data integrity.
Mitigation Recommendations
A fix for this vulnerability is available and was introduced in commit 564cc30. Users should upgrade Kanboard to a version that includes this fix. Since no official patch version is specified, check the Kanboard repository or vendor advisory for the exact fixed version and apply the update accordingly. Until patched, restrict access to trusted users only.
GHSA-f95x-r3pv-jh63
Description
Kanboard versions through 1.2.52 contain a vulnerability in the BoardAjaxController save() method where the task_id parameter is not verified to belong to the project identified by project_id. This allows any authenticated user who is a member of at least one project to enumerate and move tasks from other projects, including private ones they are not authorized to access. The issue arises because task identifiers are sequential and shared across the entire instance. The vulnerability was fixed in a commit identified as 564cc30.
CVSS v4.0
Affected software
pkg:github/kanboard/kanboardRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Kanboard through version 1.2.52 involves improper authorization checks in the BoardAjaxController save() method used by the kanban board drag-and-drop endpoint. While the method validates the caller's role on the attacker-supplied project_id, it fails to verify that the supplied task_id actually belongs to that project. Since task IDs are sequential integers shared across the instance, an authenticated user with membership in any project can enumerate and manipulate tasks belonging to other projects, including private projects without membership or role. This can lead to unauthorized task movement, corruption, or hiding. The issue is tracked as CVE-2026-58660 and was fixed in commit 564cc30.
Potential Impact
An authenticated user with membership in any project can enumerate and move tasks from any other project on the same Kanboard instance, including private projects they do not belong to. This can result in unauthorized modification, corruption, or hiding of tasks, potentially disrupting project workflows and compromising data integrity.
Mitigation Recommendations
A fix for this vulnerability is available and was introduced in commit 564cc30. Users should upgrade Kanboard to a version that includes this fix. Since no official patch version is specified, check the Kanboard repository or vendor advisory for the exact fixed version and apply the update accordingly. Until patched, restrict access to trusted users only.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-f95x-r3pv-jh63
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-58660"]
- Ecosystems
- []
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a58b44568715ace43d6ae94
Added to database: 07/16/2026, 10:36:53 UTC
Last enriched: 07/16/2026, 11:23:36 UTC
Last updated: 07/17/2026, 02:33:14 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.