CVE-2025-52576

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.46

Description: Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, it is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks.

Recommendations: For versions prior to 1.2.46, update to version 1.2.46 to resolve the issue. As a temporary workaround, consider restricting access to the login page or implementing additional security measures to minimize the risk of exploitation. Avoid relying solely on IP-based protections for login rate-limiting.