cbcvebase.
CVE-2026-35594
published 2026-04-10

CVE-2026-35594: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in…

PriorityP339medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.27%
18.3th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
code.vikunja.ioapi>= 0 < 2.3.02.3.0
go-vikunjavikunja< 2.3.02.3.0
vikunjavikunja< 2.3.02.3.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.