LoginSign Up
← Back to all sparks
K

Kanboard

PM
Velocity0.0

Free and open source Kanban project management software focused on simplicity and productivity for small teams.

kanboard.org

Kanboard is on a year-long security-hardening run, sweeping the codebase one attack class at a time.

project-managementsecurity-hardeningopen-sourceself-hostedphp-modernization
Current state
Kanboard's last six releases read as a single sustained security audit: parameterized queries replacing raw SQL, SSRF protection for webhooks, LDAP injection escapes, timing-safe token comparisons, CSRF for project role changes, comment-visibility enforcement for unauthenticated users, and removal of unsafe deserialization paths (file cache driver, legacy serialized events). Feature work continues in parallel — RTL support, Arabic translation, sub-task counts, bulk tag operations — but is clearly secondary to the hardening arc.
Where it's heading
The team is methodically working through input surfaces (LDAP, headers, webhooks, file uploads, redirect targets) and output surfaces (comments, exports, API responses) to close authorization and injection gaps. This is mature-project hygiene, not pivot work — Kanboard is positioning itself as an audit-ready self-hostable kanban for organizations with security review checklists. PHP 8.1 is now the floor; the codebase is being modernized alongside the hardening.
Prediction
Expect the security cadence to continue with one to two more releases focused on remaining trust boundaries, then a feature-weighted release picking up RTL/locale follow-ons and possibly the long-promised SQLite/Postgres parity work hinted at by recent Docker Compose additions.

Recent moves

  1. 1mo ago

    Kanboard 1.2.52

    Continues the audit arc: comment visibility now enforced for public and unauthenticated users (restricted comments stop leaking, role-based visibility caps creation), public access tokens revoked for inactive users, and timing-safe hash_equals replacing string compare for API/webhook tokens. Also swaps raw SQL interpolation for parameterized queries in TaskFinderModel and iCal export, and validates task-project ownership before bulk operations.

    View source ↗
  2. 2mo ago

    Kanboard 1.2.51

    Closes a cluster of distinct attack classes: SSRF on webhook notifications (with a new opt-in for private networks), unsafe deserialization in the database session handler, parameter injection in invite signup, and several missing API permission checks. The breadth of separate fixes in one release is the story — same-week sweep across multiple subsystems.

    View source ↗
  3. 3mo ago

    Kanboard 1.2.50

    Authorization-focused release: missing controller-level authz checks added, project-level checks enforced where they were absent, plugin installer checks tightened, and Parsedown safe mode enabled for an extra layer on Markdown rendering. CSRF protection added to project role changes. Reads as the controllers/Markdown lap of the broader audit.

    View source ↗
  4. 4mo ago

    Kanboard 1.2.49

    Notable for the LDAP-injection escape fix, plus redirect-target hardening (no more protocol-relative URLs as login redirects), TRUSTED_PROXY_NETWORKS configuration, and an opt-in block on private-network access for outbound link fetches. These are the kind of fixes that appear on enterprise hardening checklists.

    View source ↗
  5. 7mo ago

    Kanboard 1.2.48

    Feature-weighted release relative to its neighbors: RTL language support, Arabic translation, sub-task completion shown as both x/y and percentage, board/RSS/iCal public links exposed in the API. Less security-heavy than the surrounding cycle, suggesting a planned feature checkpoint between hardening passes.

    View source ↗
  6. 9mo ago

    Kanboard 1.2.47

    Removes the file cache driver and stops loading legacy PHP-serialized events outright — both flagged as deserialization risk. Also adds two new task-assignment automation actions and a pdf() response helper. The feat! markers signal breaking changes for sites that depended on the file cache or serialized events.

    View source ↗