CVE-2026-35598
published 2026-04-10CVE-2026-35598: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from…
PriorityP423medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.22%
12.0th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
go-vikunja up to 2.2.x GetResource/GetResourcesByList authorization (GHSA-48ch-p4gq-x46x)
vuldb·2026-04-10·CVSS 4.3
CVE-2026-35598 [MEDIUM] go-vikunja up to 2.2.x GetResource/GetResourcesByList authorization (GHSA-48ch-p4gq-x46x)
A vulnerability categorized as problematic has been discovered in go-vikunja vikunja up to 2.2.x. The affected element is the function GetResource/GetResourcesByList. The manipulation results in missing authorization.
This vulnerability was named CVE-2026-35598. The attack may be performed from remote. There is no available exploit.
It is advisable to upgrade the affected component.
GHSA
Vikunja Missing Authorization on CalDAV Task Read
ghsa·2026-04-10
CVE-2026-35598 [MEDIUM] CWE-862 Vikunja Missing Authorization on CalDAV Task Read
Vikunja Missing Authorization on CalDAV Task Read
## Summary
The CalDAV `GetResource` and `GetResourcesByList` methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance.
## Details
`GetTasksByUIDs` at `pkg/models/tasks.go:376-393` performs a global database query with no authorization check:
```go
func GetTasksByUIDs(s *xorm.Session, uids []string, a web.Auth) (tasks []*Task, err error) {
tasks = []*Task{}
err = s.In("uid", uids).Find(&tasks)
// ...
}
```
The `web.Auth` parameter is accepted but never used for permission filtering. This function is called by:
- `GetResource` at `pkg/routes/calda
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/go-vikunja/vikunja/commit/879462d717351fe5d276ddec5246bdec31b41661https://github.com/go-vikunja/vikunja/pull/2579https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46xhttps://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x
2026-04-10
Published