CVE-2026-33058 in Kanboard
Summary
by MITRE • 03/18/2026
Kanboard is project management software focused on Kanban methodology. Versions prior to 1.2.51 have an authenticated SQL injection vulnerability. Attackers with the permission to add users to a project can leverage this vulnerability to dump the entirety of the kanboard database. Version 1.2.51 fixes the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-33058 affects Kanboard project management software, a tool designed around the Kanban methodology for collaborative project tracking. This authenticated SQL injection flaw exists in versions prior to 1.2.51, representing a significant security risk within collaborative software environments where multiple users interact with shared project data. The vulnerability specifically targets the database layer through user management permissions, creating a pathway for attackers to escalate privileges and access sensitive information.
The technical implementation of this vulnerability stems from inadequate input validation within the user management functionality of Kanboard. When users with project membership permissions attempt to add new members to projects, the application fails to properly sanitize user-supplied data before incorporating it into SQL queries. This allows malicious actors to inject arbitrary SQL commands that bypass normal authentication mechanisms and directly access the underlying database system. The vulnerability operates under CWE-89 which categorizes SQL injection flaws as weaknesses in input validation that enable attackers to manipulate database queries through malicious input.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with complete database access capabilities. An attacker with project membership permissions can leverage this flaw to extract all stored information including user credentials, project details, task assignments, and potentially sensitive business data. This represents a critical escalation from the initial permission level, transforming a limited user role into full database access. The attack vector aligns with ATT&CK technique T1078 which covers valid accounts and T1046 which covers network service scanning, as the vulnerability enables both unauthorized access and data extraction from the database layer.
Organizations utilizing Kanboard software must prioritize immediate remediation through updating to version 1.2.51 or later, which implements proper input sanitization and parameterized query execution to prevent SQL injection attacks. Additional mitigations include implementing role-based access controls that limit user permissions to the minimum necessary for their functions, monitoring database access logs for unusual query patterns, and conducting regular security assessments of collaborative platforms. The vulnerability demonstrates the importance of validating all user inputs and maintaining up-to-date software versions to prevent exploitation of known security flaws in widely-used project management tools.