CVE-2026-35594
published 2026-04-10CVE-2026-35594: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in…
PriorityP339medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.27%
18.3th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
go-vikunja up to 2.2.x link_sharing.go GetLinkShareFromClaims session expiration (GHSA-96q5-xm3p-7m84)
vuldb·2026-04-10·CVSS 6.5
CVE-2026-35594 [MEDIUM] go-vikunja up to 2.2.x link_sharing.go GetLinkShareFromClaims session expiration (GHSA-96q5-xm3p-7m84)
A vulnerability was found in go-vikunja vikunja up to 2.2.x. It has been declared as critical. This issue affects the function GetLinkShareFromClaims of the file pkg/models/link_sharing.go. Executing a manipulation can lead to session expiration.
This vulnerability is handled as CVE-2026-35594. The attack can be executed remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
ghsa·2026-04-10
CVE-2026-35594 [MEDIUM] CWE-613 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
## Title
Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
## Description
Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the **original** permission level for up to **72 hours** (the default `service.jwtttl`).
`GetLinkShareFromClaims` at `pkg/models/link_sharing.go` lines 88-119 performs **zero database queries** — it builds the `LinkSharing` struct purely from JWT claim values (`id`, `hash`, `project_id`, `permission`, `sharedByID`). Th
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479https://github.com/go-vikunja/vikunja/pull/2581https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84
2026-04-10
Published