Skip to content

kanboard

v1.2.52 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2mo Dashboards & Home Pages
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

agile kanban kanboard project-management self-hosted

Summary

AI summary

Timing-safe token comparison, parameterized queries, access token revocation.

Full changelog
  • Enforce comment visibility rules for public and unauthenticated users:
    • Restricted comments are no longer exposed in public task views.
    • Users cannot create comments with a visibility level higher than their role.
  • Revoke public access tokens for inactive users.
  • Use timing-safe comparisons (hash_equals) for API and webhook token validation to mitigate timing attacks.
  • Replace raw SQL interpolation with parameterized queries in:
    • Task queries (TaskFinderModel)
    • iCalendar export conditions
  • Validate task ownership in bulk operations:
    • Ensure tasks belong to the specified project before applying bulk changes.

Security Fixes

  • Timing-safe comparisons for API token validation
  • Parameterized queries for task operations
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track kanboard

Get notified when new releases ship.

Sign up free

About kanboard

Kanban project management software

All releases →

Related context

Beta — feedback welcome: [email protected]