Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-56774
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-25 Jun, 2026 | 18:10
Updated At-25 Jun, 2026 | 21:33
Rejected At-
▼CVE Numbering Authority (CNA)
Kanboard - Cross-User Deletion of Persistent Login Sessions via Unvalidated Session ID

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session IDs and mass-invalidate persistent login sessions of any user, including administrators, forcing re-authentication and causing denial of service.

Affected Products
Vendor
kanboard
Product
kanboard
Repo
https://github.com/kanboard/kanboard
Default Status
unaffected
Versions
Affected
  • From 0 through 1.2.52 (semver)
Unaffected
  • 928c68aa2b7c00092dd71084d329b912e229f3d1 (git)
Problem Types
TypeCWE IDDescription
CWECWE-639Authorization Bypass Through User-Controlled Key
Type: CWE
CWE ID: CWE-639
Description: Authorization Bypass Through User-Controlled Key
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
George Chen
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/kanboard/kanboard/issues/5829
technical-description
exploit
https://github.com/kanboard/kanboard/pull/5831
issue-tracking
https://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1
patch
https://www.vulncheck.com/advisories/kanboard-cross-user-deletion-of-persistent-login-sessions-via-unvalidated-session-id
third-party-advisory
Hyperlink: https://github.com/kanboard/kanboard/issues/5829
Resource:
technical-description
exploit
Hyperlink: https://github.com/kanboard/kanboard/pull/5831
Resource:
issue-tracking
Hyperlink: https://github.com/kanboard/kanboard/commit/928c68aa2b7c00092dd71084d329b912e229f3d1
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/kanboard-cross-user-deletion-of-persistent-login-sessions-via-unvalidated-session-id
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found