HIGHCVE-2026-29056Published 2026-03-18Modified 2026-03-18CNA GitHub_M

CVE-2026-29056: Kanboard's privilege escalation via mass assignment in user invite registration allows any invited user to become admin

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

kanboard / kanboard
< 1.2.51

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N/E:P

References

https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x

Metrics