CVE-2026-21880 MEDIUM

CVE-2026-21880: Kanboard LDAP Injection Vulnerability can Lead to User Enumeration and Information Disclosure

Vendor Kanboard
Product kanboard
Weakness CWE-90 · LDAP injection
Published January 8, 2026
Last update January 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to enumerate all LDAP users, discover sensitive user attributes, and perform targeted attacks against specific accounts. This issue is fixed in version 1.2.49.

Key dates

02Disclosure timeline

January 8, 2026 CVE published
January 8, 2026 Record updated