The vulnerability in Kanboard up to version 1.2.52 involves improper validation of the session id parameter in the UserViewController::removeSession function. Because the parameter is passed unchecked to RememberMeSessionModel::remove, an authenticated user can enumerate sequential session IDs and delete Remember Me sessions belonging to other users, including administrators. This can lead to mass invalidation of persistent login sessions, forcing users to re-authenticate and causing denial of service. The issue is tracked as CVE-2026-56774 and was fixed in commit 928c68a.

Authenticated users can delete persistent login sessions of other users by exploiting the lack of session id validation. This can disrupt user access by forcing re-authentication, effectively causing a denial of service. The vulnerability affects user session integrity but does not directly allow privilege escalation or data disclosure based on the provided information.

A fix is available and was implemented in commit 928c68a. Users should update Kanboard to a version including this commit or later to remediate the vulnerability. Until patched, restrict authenticated user permissions to limit session management capabilities if possible.