Description

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.

INFO

Published Date :

2025-06-25T16:46:01.954Z

Last Modified :

2025-06-25T17:55:05.784Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-52576 vulnerability.

Vendors Products
Kanboard
  • Kanboard
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-52576.

URL Resource
https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Model/UserLockingModel.php#L101-L104 cve-icon cve-icon
https://github.com/kanboard/kanboard/blob/cbb7e60fb595ff4572bb8801b275a0b451c4bda0/app/Subscriber/AuthSubscriber.php#L96-L108 cve-icon cve-icon
https://github.com/kanboard/kanboard/commit/3079623640dc39f9c7b0c840d2a79095331051f1 cve-icon cve-icon
https://github.com/kanboard/kanboard/security/advisories/GHSA-qw57-7cx6-wvp7 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact