CVE-2026-40103 — Use of Password Hash Instead of Password for Authentication in Vikunja

CWE-836 — Use of Password Hash Instead of Password for Authentication CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 91.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds↗2026-04-10

▶

VulDB

go-vikunja up to 2.2.x projects.background_delete password hash instead of password for authentication (GHSA-v479-vf79-mg83)↗2026-04-10

▶