{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T21:46:10.710","vulnerabilities":[{"cve":{"id":"CVE-2026-21881","sourceIdentifier":"security-advisories@github.com","published":"2026-01-08T02:15:53.803","lastModified":"2026-01-20T15:57:22.667","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSE_PROXY_AUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a trusted reverse proxy. An attacker can impersonate any user, including administrators, by simply sending a spoofed HTTP header. This issue is fixed in version 1.2.49."},{"lang":"es","value":"Kanboard es un software de gestión de proyectos centrado en la metodología Kanban. Las versiones 1.2.48 e inferiores son vulnerables a una omisión de autenticación crítica cuando REVERSE_PROXY_AUTH está habilitado. La aplicación confía ciegamente en los encabezados HTTP para la autenticación de usuarios sin verificar que la solicitud se originó desde un proxy inverso de confianza. Un atacante puede suplantar a cualquier usuario, incluidos los administradores, simplemente enviando un encabezado HTTP falsificado. Este problema se solucionó en la versión 1.2.49."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-287"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:kanboard:kanboard:*:*:*:*:*:*:*:*","versionEndExcluding":"1.2.49","matchCriteriaId":"AFA1D972-E76A-4A20-95F5-68D9915D3797"}]}]}],"references":[{"url":"https://github.com/kanboard/kanboard/commit/7af6143e2ad25b5c15549cca8af4341c7ac4e2fc","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/kanboard/kanboard/releases/tag/v1.2.49","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/kanboard/kanboard/security/advisories/GHSA-wwpf-3j4p-739w","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}