QwikSec

Security Database

CVE

CWE

Training

CVE-2025-52576

Published: Jun 25, 2025

Modified: Jun 25, 2025

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.

Vendor	Product	Versions
kanboard	kanboard	affected `< 1.2.46`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7

x_refsource_CONFIRM

https://github.com/kanboard/kanboard/commit/3079623640dc39f9c7b0c840d2a79095331051f1

x_refsource_MISC

https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Model/UserLockingModel.php#L101-L104

x_refsource_MISC

https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Subscriber/AuthSubscriber.php#L96-L108

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.