User Role Injection Vulnerability in Kanboard by Kanboard
CVE-2026-29056

7HIGH

Key Information:

Vendor: Kanboard
Status: Kanboard
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-29056?

Kanboard, a project management software that employs the Kanban methodology, is vulnerable to a user role injection due to insufficient input validation. The endpoint responsible for user invites does not properly filter POST parameters before they are processed. This flaw allows an attacker to manipulate the registration process by injecting a role parameter, specifically setting it to 'app-admin'. As a result, an ordinary user can exploit this vulnerability to create an unauthorized administrative account, thereby gaining elevated privileges in the application. It is highly recommended to update to version 1.2.51 or later, where this issue is patched.

Affected Version(s)

kanboard < 1.2.51

References

https://github.com/kanboard/kanboard/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Mar 3, 2026

CVE-2026-29056 Data

JSON