Back to search
CVE-2026-29056
Published: Mar 18, 2026
Modified: Mar 18, 2026
PUBLISHED
Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.
| Vendor | Product | Versions |
|---|---|---|
kanboard | kanboard | affected < 1.2.51 |
Weaknesses (CWE)
References
https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now