CVE-2026-40103
published 2026-04-10CVE-2026-40103: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is…
PriorityP430medium5.4CVSS 3.1
AVNACLPRLUINSUCNILAL
EPSS
0.22%
12.7th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
ghsa·2026-04-10
CVE-2026-40103 [MEDIUM] CWE-836 Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
### Summary
Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only `projects.background` can successfully delete a project background, while a token with only `projects.background_delete` is rejected.
This is a scoped-token authorization bypass.
### Details
I verified this locally on commit `c5450fb55f5192508638cbb3a6956438452a712e`.
Relevant code paths:
* `pkg/models/api_routes.go`
* `pkg/routes/routes.go`
* `pkg/modules/background/handler/background.go`
Route registration exposes separate permissions for the same path:
* `GET /api/v1/projects/:project/background` -> `projects.background`
* `DELETE /api/v1/projects/:project/backgro
VulDB
go-vikunja up to 2.2.x projects.background_delete password hash instead of password for authentication (GHSA-v479-vf79-mg83)
vuldb·2026-04-10·CVSS 4.3
CVE-2026-40103 [MEDIUM] go-vikunja up to 2.2.x projects.background_delete password hash instead of password for authentication (GHSA-v479-vf79-mg83)
A vulnerability categorized as problematic has been discovered in go-vikunja vikunja up to 2.2.x. This impacts the function projects.background_delete. Such manipulation leads to use of password hash instead of password for authentication.
This vulnerability is uniquely identified as CVE-2026-40103. The attack can be launched remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published