Cyber Resilience

CVE-2026-21881

CriticalPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
20 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0043 34.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21881 is a critical-severity Improper Authentication (CWE-287) vulnerability in Kanboard Kanboard. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-21881 is a critical authentication bypass vulnerability (CWE-287) affecting Kanboard, an open-source project management software focused on the Kanban methodology. Versions 1.2.48 and prior are vulnerable when the REVERSE_PROXY_AUTH configuration is enabled. In this setup, the application blindly trusts HTTP headers for user authentication without verifying that the request originated from a trusted reverse proxy, allowing unauthorized access.

Any remote attacker without privileges can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By spoofing the relevant HTTP header, the attacker can impersonate any user, including administrators, potentially gaining high confidentiality and integrity impacts such as accessing sensitive project data or modifying board configurations.

The issue is addressed in Kanboard version 1.2.49, as detailed in the project's security advisory (GHSA-wwpf-3j4p-739w), release notes, and the fixing commit (7af6143e2ad25b5c15549cca8af4341c7ac4e2fc). Security practitioners should upgrade to the patched version and review reverse proxy configurations to ensure proper header validation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a…

more

trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote attackers to bypass authentication via HTTP header spoofing in a public-facing web application (Kanboard), directly enabling exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29056Same product: Kanboard Kanboard
CVE-2026-25924Same product: Kanboard Kanboard
CVE-2026-24885Same product: Kanboard Kanboard
CVE-2025-55010Same product: Kanboard Kanboard
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287

Affected Assets

kanboard
kanboard
≤ 1.2.49

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires unique identification and authentication of organizational users, directly preventing impersonation via spoofed HTTP headers in reverse proxy authentication.

prevent

Enforces approved authorizations for access to system resources, mitigating unauthorized access gained through unverified authentication headers.

prevent

Validates information inputs including HTTP headers for authentication, addressing the blind trust in unverified reverse proxy headers.

References