Kanboard Patch Fixes LDAP Injection and Critical Proxy Bypass

Multiple security vulnerabilities affecting Kanboard, the open-source kanban project management tool, are disclosed publicly on Jan. 8, 2026, and fixed in the newly released Kanboard 1.2.49. The disclosures identify three tracked CVEs: an LDAP injection and user enumeration flaw (CVE-2026-21880), a reverse-proxy authentication bypass (CVE-2026-21881), and an open redirect vulnerability (CVE-2026-21879). Vendors and public CVE feeds surfaced the issues and tie the corrective patches to the 1.2.49 release.

The LDAP flaw affects Kanboard installations running versions up to and including 1.2.48. The application’s LDAP authentication mechanism placed user-supplied input directly into LDAP search filters without appropriate sanitization, allowing attackers to manipulate queries to enumerate directory users and harvest sensitive attributes. Advisories warn that this information can be used to craft targeted attacks against specific accounts and, in some configurations, manipulated LDAP queries can lead to unauthorized access. Third-party aggregators list the vulnerability with a medium-range score around 5.3 to 5.4, but vendor advisory language cautions that impact can be greater in targeted environments. Reporters should reference the canonical CVE entries on MITRE and the NVD for authoritative scoring.

The most severe flaw is the reverse-proxy authentication bypass tied to CVE-2026-21881. When the REVERSE_PROXY_AUTH option is enabled, Kanboard trusted incoming HTTP authentication headers as if they originated from an authenticated user without verifying that the request passed through a trusted proxy. That blind trust can be exploited if an attacker is able to send or forge such headers to the application, effectively permitting login as any user under certain misconfigurations. Heise and vendor release notes characterize this issue as critical and identify it as one of the most serious fixes in the 1.2.49 update.

CVE-2026-21879, an open redirect, allows crafted URLs to bypass URL filters and redirect authenticated users to attacker-controlled sites. Security analysts note the risk of phishing, credential theft, and malware distribution stemming from such redirects, and characterize the issue as medium severity.

The vendor advisory credited in public listings is security-advisories@github.com, and public feeds including MITRE/NVD and aggregators such as SecAlerts surfaced the CVE entries on Jan. 8, 2026. SecAlerts’ entry for the LDAP issue lists a risk score of 5.3 and marks the problem medium, while Heise’s coverage emphasizes the critical nature of the reverse-proxy bypass and reports a CVSS of roughly 9.1 for that issue.

Administrators should upgrade to Kanboard 1.2.49 or later without delay. Deployments that use reverse proxies should audit proxy configurations and ensure that Kanboard only trusts authentication headers from known, trusted proxy endpoints; if that cannot be confirmed, disable REVERSE_PROXY_AUTH until a secure configuration is in place. Operators should also validate input handling for LDAP and URL construction logic to eliminate unsafe redirects.

For definitive technical details and CVSS vectors, consult the Kanboard 1.2.49 release notes and the canonical CVE entries on MITRE and the National Vulnerability Database.