CVE-2026-21881
Published: 08 January 2026
Summary
CVE-2026-21881 is a critical-severity Improper Authentication (CWE-287) vulnerability in Kanboard Kanboard. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires unique identification and authentication of organizational users, directly preventing impersonation via spoofed HTTP headers in reverse proxy authentication.
Enforces approved authorizations for access to system resources, mitigating unauthorized access gained through unverified authentication headers.
Validates information inputs including HTTP headers for authentication, addressing the blind trust in unverified reverse proxy headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote attackers to bypass authentication via HTTP header spoofing in a public-facing web application (Kanboard), directly enabling exploitation of a public-facing application for initial access.
NVD Description
Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a…
more
trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.
Deeper analysisAI
CVE-2026-21881 is a critical authentication bypass vulnerability (CWE-287) affecting Kanboard, an open-source project management software focused on the Kanban methodology. Versions 1.2.48 and prior are vulnerable when the REVERSE_PROXY_AUTH configuration is enabled. In this setup, the application blindly trusts HTTP headers for user authentication without verifying that the request originated from a trusted reverse proxy, allowing unauthorized access.
Any remote attacker without privileges can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By spoofing the relevant HTTP header, the attacker can impersonate any user, including administrators, potentially gaining high confidentiality and integrity impacts such as accessing sensitive project data or modifying board configurations.
The issue is addressed in Kanboard version 1.2.49, as detailed in the project's security advisory (GHSA-wwpf-3j4p-739w), release notes, and the fixing commit (7af6143e2ad25b5c15549cca8af4341c7ac4e2fc). Security practitioners should upgrade to the patched version and review reverse proxy configurations to ensure proper header validation.
Details
- CWE(s)