CVE-2026-29056

Publication date 18 March 2026

Last updated 25 March 2026

Ubuntu priority

Description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-29056
https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x

CVE-2026-29056

Description

Status

References

Other references

Access our resources on patching vulnerabilities