Cyber Resilience

CVE-2026-24885

MediumPublic PoC

Published: 10 February 2026

Published
10 February 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0002 6.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24885 is a medium-severity CSRF (CWE-352) vulnerability in Kanboard Kanboard. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Kanboard, an open-source project management tool based on the Kanban methodology, contains a Cross-Site Request Forgery (CSRF) vulnerability designated as CVE-2026-24885 in versions prior to 1.2.50. The issue resides in the ProjectPermissionController, specifically the changeUserRole action, where the server does not strictly enforce an application/json Content-Type header. Despite expecting JSON in the request body, it accepts text/plain payloads, enabling attackers to submit malicious data via HTML forms.

An attacker can exploit this vulnerability by hosting a malicious webpage with a form configured to use text/plain Content-Type, tricking an authenticated administrator into visiting the site. Upon submission—triggered by user interaction such as clicking a button—the forged request modifies project user roles without the admin's knowledge or consent. The CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) reflects network accessibility, low attack complexity, requirement for low-privileged authentication (via the victim's session), and user interaction, resulting in high integrity impact through unauthorized role changes.

The vulnerability is addressed in Kanboard version 1.2.50, as detailed in the project's security advisory (GHSA-582j-h4w4-hwr5), release notes, and the fixing commit (2c56d92783d4a3094812c2f7cba50f80a372f95e). Security practitioners should urge users to upgrade immediately to mitigate risks, aligning with CWE-352 guidance on CSRF prevention.

EU & UK References

Vulnerability details

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although…

more

the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF flaw in public-facing Kanboard web app directly enables forged requests that perform unauthorized project role changes, mapping to exploitation of web apps (T1190) and account manipulation via permission/role modification (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21881Same product: Kanboard Kanboard
CVE-2026-29056Same product: Kanboard Kanboard
CVE-2026-25924Same product: Kanboard Kanboard
CVE-2025-55010Same product: Kanboard Kanboard
CVE-2025-1687Shared CWE-352
CVE-2024-55076Shared CWE-352
CVE-2025-27910Shared CWE-352
CVE-2025-25907Shared CWE-352
CVE-2026-33649Shared CWE-352
CVE-2024-13852Shared CWE-352

Affected Assets

kanboard
kanboard
≤ 1.2.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of Content-Type headers so that only application/json is accepted for changeUserRole, blocking the text/plain form-based CSRF vector.

prevent

Enforces that every state-changing request must carry proof of originating from an authentic user session rather than an attacker-supplied form.

prevent

Protects session authenticity by ensuring requests cannot be forged and replayed across origins without proper session-binding tokens.

References