CVE-2026-29056

HighPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0024 46.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link…

can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs like the 'role' parameter in the user invite registration endpoint to prevent unauthorized administrator account creation.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations during user account creation to block injection of elevated roles such as 'app-admin' via unfiltered POST parameters.

AC-2 Account Management partial match

prevent

Manages account creation processes, including role assignments from invite links, to ensure only authorized privileges are granted and prevent self-escalation.

Security SummaryAI

CVE-2026-29056 is a high-severity vulnerability (CVSS 8.8) in Kanboard, an open-source project management software focused on the Kanban methodology. The issue affects versions prior to 1.2.51 and stems from the user invite registration endpoint in UserInviteController::register(), which accepts all POST parameters without filtering and passes them directly to UserModel::create(). This allows unvalidated input, including the "role" field, to be processed, mapped to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

An attacker with access to a valid invite link—requiring low privileges (PR:L) as per the CVSS vector—can exploit this over the network (AV:N) with low complexity and no user interaction (UI:N). By injecting the parameter "role=app-admin" into the registration form, the attacker creates a new account with administrator privileges, gaining high-impact access to confidentiality (C:H), integrity (I:H), and availability (A:H) controls without scope changes (S:U).

The GitHub Security Advisory (GHSA-2jvj-q44v-6p3x) confirms that Kanboard version 1.2.51 resolves the vulnerability by implementing proper filtering of the role field in the registration process. Security practitioners should prioritize upgrading affected Kanboard instances to 1.2.51 or later and review any existing invite links for potential exposure.

Details

CWE(s): CWE-915

Affected Products

kanboard

≤ 1.2.51

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability in Kanboard's user registration endpoint allows remote exploitation (AV:N, PR:L) of a public-facing web application (T1190) to create a new administrator account by injecting the 'role=app-admin' parameter (T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0