A critical authentication bypass vulnerability has been identified in Kanboard project management software. This flaw allows an unauthenticated attacker to impersonate any user, including administrators, by sending a specially crafted request, granting them complete control over the application. This could lead to the theft of sensitive project data, system disruption, and unauthorized modifications.

The vulnerability exists in Kanboard instances where the REVERSE_PROXY_AUTH feature is enabled. The application is designed to delegate authentication to a trusted reverse proxy, which then passes the authenticated user's identity in an HTTP header (e.g., REMOTE_USER). However, the application fails to verify that these requests originate exclusively from the trusted proxy. A remote, unauthenticated attacker can bypass the proxy, connect directly to the Kanboard application, and inject a spoofed HTTP header to impersonate any valid user, granting them the full privileges of that user's account.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation grants an attacker complete administrative control over the Kanboard application. This can lead to severe business consequences, including the compromise of confidential project information, theft of intellectual property, unauthorized modification or deletion of critical data, and disruption of project management workflows. The compromised system could also serve as a foothold for attackers to pivot and launch further attacks against the internal network.

Immediate Action: Update Kanboard is project management software focused on Kanban Multiple Products to the latest version (1.2.49 or newer), which contains the fix for this vulnerability. After patching, review application and web server access logs for any suspicious login activity or direct access attempts that may indicate prior exploitation.

Proactive Monitoring: Monitor web server logs for requests made directly to the Kanboard application that contain authentication-related headers like REMOTE_USER, especially if the source IP is not a trusted reverse proxy. Implement alerts for unusual administrative activity or logins from unrecognized IP addresses.

Compensating Controls: If patching is not immediately possible, implement strict network controls. Configure firewalls or network access control lists (ACLs) to ensure that the Kanboard application server only accepts inbound connections from the IP address of the trusted reverse proxy. This prevents attackers from bypassing the proxy and sending malicious requests directly to the application.

Public Exploit Available: false

This vulnerability presents a critical and immediate threat to the confidentiality, integrity, and availability of your project management data. Due to the ease of exploitation and the potential for complete system compromise, organizations must prioritize patching all affected Kanboard instances to version 1.2.49 or later without delay. While this vulnerability is not currently listed on the CISA KEV catalog, its critical severity warrants immediate remediation as if it were under active exploitation.