CVE-2026-35595 — Improper Privilege Management in Vikunja

CWE-269 — Improper Privilege Management3 documents3 sources

Severity

8.3HIGHNVD

EPSS

0.0%

top 89.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LExploitability: 2.8 | Impact: 5.5

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja vulnerable to Privilege Escalation via Project Reparenting↗2026-04-10

▶

VulDB

go-vikunja up to 2.2.x project_permissions.go privileges management (GHSA-2vq4-854f-5c72)↗2026-04-10

▶