CVE-2026-25924
Published: 11 February 2026
Summary
CVE-2026-25924 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Kanboard Kanboard. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the backend plugin installation endpoint, preventing authenticated administrators from bypassing the PLUGIN_INSTALLER configuration to achieve RCE.
Establishes and enforces organizational policies restricting user-installed software such as plugins when disabled by configuration, directly mitigating unauthorized plugin downloads and execution.
Ensures least privilege by authorizing access to plugin installation only when explicitly allowed by the PLUGIN_INSTALLER setting, limiting even administrators from exploiting the backend endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln is authz bypass in public-facing Kanboard web app enabling direct malicious plugin install for RCE, mapping to public app exploitation (T1190) and server software component abuse via web shell-like plugin (T1505.003).
NVD Description
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when…
more
the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50.
Deeper analysisAI
CVE-2026-25924 is a security control bypass vulnerability affecting Kanboard, an open-source project management software focused on the Kanban methodology, in versions prior to 1.2.50. The flaw stems from the application's failure to enforce the PLUGIN_INSTALLER configuration setting on the backend endpoint for plugin installation, despite correctly hiding the frontend interface when this setting is disabled. This allows an authenticated administrator to bypass the control and force the server to download and execute arbitrary code via a malicious plugin. The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H) and is associated with CWE-863 (Incorrect Authorization).
An authenticated administrator with network access can exploit this vulnerability by directly invoking the unprotected backend endpoint to install a malicious plugin, requiring some user interaction such as confirming the action. Successful exploitation grants full remote code execution (RCE) on the server, enabling high confidentiality, integrity, and availability impacts with a changed scope due to the elevated privileges obtained through the plugin mechanism.
Kanboard addresses this issue in version 1.2.50, where the backend endpoint now properly verifies the PLUGIN_INSTALLER configuration. Security practitioners should upgrade to v1.2.50 or later, as detailed in the project's security advisory (GHSA-grch-p7vf-vc4f), release notes, and the fixing commit (b9ada89b1a64034612fc4262b88c42458c0d6ee4).
Details
- CWE(s)