Release history

kanboard releases

Kanban project management software

Back to tool Latest release

All releases

4 shown

v1.2.52 Security relevant 2mo

Security fixes

Timing-safe comparisons for API token validation
Parameterized queries for task operations

Full changelog

Enforce comment visibility rules for public and unauthenticated users:
- Restricted comments are no longer exposed in public task views.
- Users cannot create comments with a visibility level higher than their role.
Revoke public access tokens for inactive users.
Use timing-safe comparisons (hash_equals) for API and webhook token validation to mitigate timing attacks.
Replace raw SQL interpolation with parameterized queries in:
- Task queries (TaskFinderModel)
- iCalendar export conditions
Validate task ownership in bulk operations:
- Ensure tasks belong to the specified project before applying bulk changes.

View release on GitHub

v1.2.51 Security relevant 2mo

Security fixes

SSRF protection for webhook notifications
Unsafe deserialization prevention
Parameter injection restrictions

View release on GitHub

v1.2.50 Security relevant 3mo

Security fixes

Authorization checks added in controllers
Parsedown safe mode enabled
CSRF protection for roles

View release on GitHub

v1.2.49 Security relevant 4mo

Security fixes

LDAP injection vulnerability
Protocol-relative URL redirect prevention

Notable features

TRUSTED_PROXY_NETWORKS configuration option

View release on GitHub

Beta — feedback welcome: [email protected]