#1140774 kanboard: CVE-2026-56774

Package:
src:kanboard
Source:
src:kanboard
Submitter:
Salvatore Bonaccorso
Date:
2026-06-26 06:25:02 UTC
Severity:
normal
Tags:
#1140774#5
Date:
2026-06-26 06:24:02 UTC
From:
To:
Hi,

The following vulnerability was published for kanboard.

CVE-2026-56774[0]:
| Kanboard through 1.2.52, fixed in commit 928c68a,
| UserViewController::removeSession fails to validate the session id
| parameter before passing it to RememberMeSessionModel::remove,
| allowing authenticated users to delete other users' Remember Me
| sessions. Attackers can enumerate sequential session IDs and mass-
| invalidate persistent login sessions of any user, including
| administrators, forcing re-authentication and causing denial of
| service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56774
https://www.cve.org/CVERecord?id=CVE-2026-56774
[1] https://github.com/kanboard/kanboard/issues/5829
[2] https://github.com/kanboard/kanboard/pull/5831
[3] https://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1

Regards,
Salvatore