CVE-2025-52576
Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue.
Reserved 2025-06-18 | Published 2025-06-25 | Updated 2025-06-25 | Assigner GitHub_MCWE-203: Observable Discrepancy
github.com/...nboard/security/advisories/GHSA-qw57-7cx6-wvp7
github.com/...ommit/3079623640dc39f9c7b0c840d2a79095331051f1
github.com/...275a0b451c4bda0/app/Model/UserLockingModel.php
github.com/...a0b451c4bda0/app/Subscriber/AuthSubscriber.php
Support options
