Kanboard User Invite Registration Allows Unauthorized Admin Creation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.0

Kanboard User Invite Registration Allows Unauthorized Admin Creation

CVE-2026-29056

Summary

Kanboard's user invite registration process allowed attackers to create admin accounts by manipulating the registration form. This vulnerability has been fixed in version 1.2.51. Update to the latest version to protect against this issue.

Original title

Original description

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint (`UserInviteController::register()`) accepts all POST parameters and passes them to `UserModel::create()` without filtering out the `role` field. An attacker who receives an invite link can inject `role=app-admin` in the registration form to create an administrator account. Version 1.2.51 fixes the issue.

nvd CVSS4.0 7.0

Vulnerability type

CWE-915

https://github.com/kanboard/kanboard/security/advisories/GHSA-2jvj-q44v-6p3x

Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026