CVE-2026-21879 Overview
CVE-2026-21879 is an Open Redirect vulnerability affecting Kanboard, a popular open-source project management software focused on Kanban methodology. This vulnerability allows malicious actors to redirect authenticated users to attacker-controlled websites by crafting specially formed URLs that bypass input validation checks.
The vulnerability exists in versions 1.2.48 and below, where the filter_var($url, FILTER_VALIDATE_URL) function fails to properly validate protocol-relative URLs (e.g., //evil.com). Attackers can exploit this weakness to conduct phishing attacks, steal user credentials, or distribute malware by tricking authenticated users into visiting malicious websites.
Critical Impact
Authenticated users can be redirected to malicious websites after login, enabling credential theft, phishing attacks, and malware distribution through trusted application flows.
Affected Products
- Kanboard versions 1.2.48 and below
- Kanboard installations using the default redirect-after-login functionality
Discovery Timeline
- 2026-01-08 - CVE-2026-21879 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21879
Vulnerability Analysis
This Open Redirect vulnerability (CWE-601) stems from insufficient URL validation in Kanboard's login redirect mechanism. The application stores a redirect URI in the user's session when accessing protected resources while unauthenticated. After successful authentication, the user is redirected to this stored URI.
The core issue lies in the validation logic that relies solely on PHP's filter_var() function with the FILTER_VALIDATE_URL flag. This validation method incorrectly accepts protocol-relative URLs (URLs beginning with //) as invalid, but the negation logic in the original code meant that URLs failing validation were actually used for redirection. This inverted logic allowed attackers to craft malicious redirect URIs that would pass through the flawed validation check.
An attacker could exploit this by sending a victim a link to the Kanboard login page with a malicious redirect parameter set to //evil.com. After the victim authenticates, they would be automatically redirected to the attacker-controlled website, which could host a convincing phishing page to harvest credentials or deliver malware payloads.
Root Cause
The vulnerability originates from flawed input validation logic in the redirectAfterLogin() method within app/Controller/BaseController.php. The original implementation used a negated filter_var() check that inadvertently allowed protocol-relative URLs to be used as redirect targets. Protocol-relative URLs like //evil.com are interpreted by browsers as using the same protocol as the current page, effectively redirecting to https://evil.com when accessed over HTTPS.
Attack Vector
The attack follows this sequence: An attacker crafts a malicious URL targeting the Kanboard login endpoint with a protocol-relative redirect parameter (e.g., //evil.com). When an authenticated user clicks this link or when an unauthenticated user accesses it and subsequently logs in, the application stores the malicious URI in the session. Upon successful authentication, the redirectAfterLogin() function retrieves the stored URI, fails to properly validate it, and redirects the user to the attacker-controlled website.
// Vulnerable code in app/Controller/BaseController.php (before patch)
protected function redirectAfterLogin()
{
if (session_exists('redirectAfterLogin') && ! filter_var(session_get('redirectAfterLogin'), FILTER_VALIDATE_URL)) {
$redirect = session_get('redirectAfterLogin');
session_remove('redirectAfterLogin');
$this->response->redirect($redirect);
} else {
$this->response->redirect($this->helper->url->to('DashboardController', 'show'));
}
}
Source: GitHub Commit Details
The patched version introduces a dedicated isSafeRedirectUri() method that explicitly rejects protocol-relative URLs and enforces that redirect URIs must be relative paths starting with a single forward slash:
// Patched code in app/Core/Http/Request.php
public function isSafeRedirectUri($uri)
{
$uri = trim($uri);
if ($uri === '') {
return false;
}
// Reject backslashes
if (str_contains($uri, '\\')) {
return false;
}
// Reject if it starts with // (protocol-relative)
if (str_starts_with($uri, '//')) {
return false;
}
// Reject if it does not start with a slash (relative path)
if (! str_starts_with($uri, '/')) {
return false;
}
// ...
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-21879
Indicators of Compromise
- Unusual redirect parameters in Kanboard login URLs containing protocol-relative paths (//external-domain.com)
- Web server logs showing login requests followed by redirects to external domains
- User reports of being redirected to unfamiliar websites after Kanboard login
- Session data containing redirect URIs pointing to external hosts
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing protocol-relative URLs in redirect parameters
- Implement URL pattern matching rules to detect // sequences in login-related query parameters
- Review access logs for login endpoints with suspicious redirect values containing external domain references
- Deploy intrusion detection signatures to flag redirect attempts to non-whitelisted domains
Monitoring Recommendations
- Enable detailed logging for authentication events including stored redirect URIs
- Set up alerts for login requests containing unusual URL patterns in redirect parameters
- Monitor for user sessions that result in external redirects immediately after authentication
- Track referrer headers to identify potential phishing campaigns exploiting this vulnerability
How to Mitigate CVE-2026-21879
Immediate Actions Required
- Upgrade Kanboard to version 1.2.49 or later immediately
- Review web server logs for evidence of exploitation attempts
- Notify users about potential phishing risks if exploitation is suspected
- Implement WAF rules to block protocol-relative URLs in redirect parameters as an interim measure
Patch Information
The vulnerability has been fixed in Kanboard version 1.2.49. The patch introduces a new isSafeRedirectUri() method in app/Core/Http/Request.php that performs comprehensive validation of redirect URIs, explicitly rejecting protocol-relative URLs, backslash-containing paths, and non-relative URIs.
For detailed patch information, see the GitHub Security Advisory GHSA-mhv9-7m9w-7hcq and the GitHub Release v1.2.49.
Workarounds
- Deploy a web application firewall (WAF) rule to block requests containing // in redirect-related parameters
- Configure reverse proxy rules to strip or reject suspicious redirect parameters
- Implement network-level URL filtering to block protocol-relative URLs targeting the login endpoint
- Consider temporarily disabling the redirect-after-login feature if immediate patching is not possible
# Example nginx configuration to block protocol-relative redirects
location /kanboard/ {
# Block requests with protocol-relative URLs in common redirect parameters
if ($args ~* "(redirect|return|next|url)=//") {
return 403;
}
proxy_pass http://kanboard_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
