Home > Vulnerability Database > CVE-2026-21881

Mend.io Vulnerability Database

CVE-2026-21881

Good to know:

Date: January 7, 2026

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49.

Severity Score

9.1

Related Resources (5)

Url: https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc

Url: https://github.com/kanboard/kanboard/releases/tag/v1.2.49

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21881

Url: https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w

Url: https://www.mend.io/vulnerability-database/CVE-2026-21881

Severity Score

9.1

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version https://github.com/kanboard/kanboard.git - v1.2.49

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21881

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?