CVE-2026-29056

Name of the Vulnerable Software and Affected Versions Kanboard versions prior to 1.2.51

Description Kanboard is project management software focused on the Kanban methodology. The user invite registration endpoint (UserInviteController::register()) accepts all POST parameters and passes them to UserModel::create() without filtering the role field. An attacker receiving an invite link can inject role=app-admin into the registration form to create an administrator account. The role parameter is vulnerable to injection.

Recommendations Versions prior to 1.2.51 should be updated to version 1.2.51 or later.