CVE-2026-25531 MEDIUM

CVE-2026-25531: Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects

Vendor Kanboard
Product kanboard
Weakness CWE-862 · Missing authorization
Published February 13, 2026
Last update February 13, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.

Key dates

02Disclosure timeline

February 13, 2026 CVE published
February 13, 2026 Record updated