CVE-2026-21880

08.01.2026, 02:15

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.

LDAP Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 28%

Debian Releases

Debian Product

Codename

kanboard

forky	vulnerable
sid	1.2.49+ds-1 fixed

Common Weakness Enumeration

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Vulnerability Media Exposure

[GERMAN] Kanboard-Sicherheitslücke ermöglicht Anmeldung als beliebiger User
In Kanboard stecken drei Sicherheitslecks. Das gravierendste erlaubt die Anmeldung als beliebiger Nutzer. Ein Update steht bereit.
Published: 2026-01-08T13:03:00+00:00

References

https://github.com/kanboard/kanboard/commit/dd374079f7c2d1dab74c1680960e684ff8668586

https://github.com/kanboard/kanboard/releases/tag/v1.2.49

https://github.com/kanboard/kanboard/security/advisories/GHSA-v66r-m28r-wmq7