CVE-2026-24885
Published: 10 February 2026
Summary
CVE-2026-24885 is a medium-severity CSRF (CWE-352) vulnerability in Kanboard Kanboard. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF flaw in public-facing Kanboard web app directly enables forged requests that perform unauthorized project role changes, mapping to exploitation of web apps (T1190) and account manipulation via permission/role modification (T1098).
NVD Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery (CSRF) vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the changeUserRole action. Although…
more
the request body is JSON, the server accepts text/plain, allowing an attacker to craft a malicious form using the text/plain attribute. Which allows unauthorized modification of project user roles if an authenticated admin visits a malicious site This vulnerability is fixed in 1.2.50.
Deeper analysisAI
Kanboard, an open-source project management tool based on the Kanban methodology, contains a Cross-Site Request Forgery (CSRF) vulnerability designated as CVE-2026-24885 in versions prior to 1.2.50. The issue resides in the ProjectPermissionController, specifically the changeUserRole action, where the server does not strictly enforce an application/json Content-Type header. Despite expecting JSON in the request body, it accepts text/plain payloads, enabling attackers to submit malicious data via HTML forms.
An attacker can exploit this vulnerability by hosting a malicious webpage with a form configured to use text/plain Content-Type, tricking an authenticated administrator into visiting the site. Upon submission—triggered by user interaction such as clicking a button—the forged request modifies project user roles without the admin's knowledge or consent. The CVSS v3.1 base score of 5.7 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) reflects network accessibility, low attack complexity, requirement for low-privileged authentication (via the victim's session), and user interaction, resulting in high integrity impact through unauthorized role changes.
The vulnerability is addressed in Kanboard version 1.2.50, as detailed in the project's security advisory (GHSA-582j-h4w4-hwr5), release notes, and the fixing commit (2c56d92783d4a3094812c2f7cba50f80a372f95e). Security practitioners should urge users to upgrade immediately to mitigate risks, aligning with CWE-352 guidance on CSRF prevention.
Details
- CWE(s)