CVE-2026-24885
Published: 10 February 2026
Summary
CVE-2026-24885 is a medium-severity CSRF (CWE-352) vulnerability in Kanboard Kanboard. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Kanboard, an open-source project management tool based on the Kanban methodology, contains a Cross-Site Request Forgery (CSRF) vulnerability designated as CVE-2026-24885 in versions prior to 1.2.50. The issue resides in the ProjectPermissionController, specifically the changeUserRole action, where the server does not strictly enforce an application/json Content-Type header. Despite expecting JSON in the request body, it accepts text/plain payloads, enabling attackers to submit malicious data via HTML forms.
An attacker can exploit this vulnerability by hosting a malicious webpage with a form configured to use text/plain Content-Type, tricking an authenticated administrator into visiting the site. Upon submission—triggered by user interaction such as clicking a button—the forged request modifies project user roles without the admin's knowledge or consent. The CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) reflects network accessibility, low attack complexity, requirement for low-privileged authentication (via the victim's session), and user interaction, resulting in high integrity impact through unauthorized role changes.
The vulnerability is addressed in Kanboard version 1.2.50, as detailed in the project's security advisory (GHSA-582j-h4w4-hwr5), release notes, and the fixing commit (2c56d92783d4a3094812c2f7cba50f80a372f95e). Security practitioners should urge users to upgrade immediately to mitigate risks, aligning with CWE-352 guidance on CSRF prevention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6458
Vulnerability details
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although…
more
the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing Kanboard web app directly enables forged requests that perform unauthorized project role changes, mapping to exploitation of web apps (T1190) and account manipulation via permission/role modification (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of Content-Type headers so that only application/json is accepted for changeUserRole, blocking the text/plain form-based CSRF vector.
Enforces that every state-changing request must carry proof of originating from an authentic user session rather than an attacker-supplied form.
Protects session authenticity by ensuring requests cannot be forged and replayed across origins without proper session-binding tokens.