Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save() method (used by the kanban board drag-and-drop endpoint) validates the caller's role on the attacker-supplied project_id but never verifies that the supplied task_id actually belongs to that project. Because task identifiers are sequential integers shared across the entire instance, any authenticated user who is a member of at least one project can enumerate and move (corrupt/hide) tasks belonging to any other project on the same instance, including private projects they have no membership or role on. | |
| Title | Kanboard BoardAjaxController Missing Ownership Check via Drag-and-Drop | |
| First Time appeared |
Kanboard
Kanboard kanboard |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Kanboard
Kanboard kanboard |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T17:54:24.732Z
Reserved: 2026-07-01T21:54:37.946Z
Link: CVE-2026-58660
Updated: 2026-07-15T17:54:19.443Z
No data.
No data.
OpenCVE Enrichment
No data.