Session Management Flaw in Kanboard by Kanboard
CVE-2026-56774

5.3MEDIUM

Key Information:

Vendor

Kanboard

Status
Kanboard
Vendor
CVE Published:
25 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-56774?

In Kanboard versions up to 1.2.52, a flaw in the UserViewController::removeSession method allows authenticated users to delete other users' Remember Me sessions without proper session ID validation. This vulnerability can be exploited by attackers who are able to enumerate sequential session IDs, enabling them to invalidate persistent login sessions across the platform. This could lead to forced re-authentication for affected users, including administrative accounts, resulting in a denial of service and potential disruption of user activities.

Affected Version(s)

kanboard 0 <= 1.2.52

kanboard 928c68aa2b7c00092dd71084d329b912e229f3d1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-56774 - Proof of Concept

References

https://github.com/kanboard/kanboard/issues/5829
technical-descriptionexploit
https://github.com/kanboard/kanboard/pull/5831
issue-tracking
https://github.com/kanboard/kanboard/commit/928c68aa2b7c0...
patch

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.