CVE-2026-21881

CriticalPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

20 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0032 55.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a…

trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires unique identification and authentication of organizational users, directly preventing impersonation via spoofed HTTP headers in reverse proxy authentication.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, mitigating unauthorized access gained through unverified authentication headers.

SI-10 Information Input Validation good match

prevent

Validates information inputs including HTTP headers for authentication, addressing the blind trust in unverified reverse proxy headers.

Security SummaryAI

CVE-2026-21881 is a critical authentication bypass vulnerability (CWE-287) affecting Kanboard, an open-source project management software focused on the Kanban methodology. Versions 1.2.48 and prior are vulnerable when the REVERSE_PROXY_AUTH configuration is enabled. In this setup, the application blindly trusts HTTP headers for user authentication without verifying that the request originated from a trusted reverse proxy, allowing unauthorized access.

Any remote attacker without privileges can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By spoofing the relevant HTTP header, the attacker can impersonate any user, including administrators, potentially gaining high confidentiality and integrity impacts such as accessing sensitive project data or modifying board configurations.

The issue is addressed in Kanboard version 1.2.49, as detailed in the project's security advisory (GHSA-wwpf-3j4p-739w), release notes, and the fixing commit (7af6143e2ad25b5c15549cca8af4341c7ac4e2fc). Security practitioners should upgrade to the patched version and review reverse proxy configurations to ensure proper header validation.

Details

CWE(s): CWE-287

Affected Products

kanboard

≤ 1.2.49

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote attackers to bypass authentication via HTTP header spoofing in a public-facing web application (Kanboard), directly enabling exploitation of a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc
Patch · security-advisories@github.com
https://github.com/kanboard/kanboard/releases/tag/v1.2.49
Release Notes · security-advisories@github.com
https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0