Security

Report a vulnerability

SECURITY.md

Security Policy

Supported Versions

Only the latest stable version is supported.

Reporting a Vulnerability

Do not open a new GitHub issue if the bug is a security vulnerability.

Report the vulnerability privately by creating a new GitHub security advisory (documentation).

Keep in mind that this software is in maintenance mode.

Privilege escalation via mass assignment in user invite registration allows any invited user to become admin
GHSA-2jvj-q44v-6p3x published Mar 16, 2026 by fguillot

High
Authenticated SQL Injection in Project Permissions Handler
GHSA-f62r-m4mr-2xhh published Mar 17, 2026 by fguillot

High
Missing Access Control on Plugin Installation leads to Administrative RCE
GHSA-grch-p7vf-vc4f published Feb 11, 2026 by fguillot

High
The fix for CVE-2023-33968 (GHSA-gf8r-4p6m-v8vr) is incomplete. The `TaskCreationController::duplicateProjects()` endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access.
GHSA-vrm3-3337-whp9 published Feb 9, 2026 by fguillot

Moderate
Missing authorization check in getSwimlane API allows cross-project data access
GHSA-6rxw-vvvj-r93q published Feb 9, 2026 by fguillot

Moderate
Cross-Site Request Forgery (CSRF) via Content-Type Misconfiguration in Project Role Assignment
GHSA-582j-h4w4-hwr5 published Feb 9, 2026 by fguillot

Moderate
Kanboard Open Redirect Vulnerability
GHSA-mhv9-7m9w-7hcq published Jan 7, 2026 by fguillot

Moderate
Kanboard Reverse Proxy Authentication Bypass
GHSA-wwpf-3j4p-739w published Jan 7, 2026 by fguillot

Critical
Kanboard LDAP Injection Vulnerability
GHSA-v66r-m28r-wmq7 published Jan 7, 2026 by fguillot

Moderate
Path Traversal in File Write via Task File Upload Api
GHSA-26f4-rx96-xc55 published Aug 12, 2025 by fguillot

Moderate

Learn more about advisories related to kanboard/kanboard in the GitHub Advisory Database