Code.Vikunja.Io Api vulnerabilities

CVE-2026-35595 [HIGH] CWE-269 Vikunja vulnerable to Privilege Escalation via Project Reparenting Vikunja vulnerable to Privilege Escalation via Project Reparenting ## Summary A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other u

CVE-2026-34727 [HIGH] CWE-287 Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path ## Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. ## Details The OIDC callback at `pkg/modules/auth/o

CVE-2026-35601 [MEDIUM] CWE-93 Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output ## Summary The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as `ATTACH`, `VALARM`, or

CVE-2026-35599 [MEDIUM] CWE-407 Vikunja has Algorithmic Complexity DoS in Repeating Task Handler Vikunja has Algorithmic Complexity DoS in Repeating Task Handler ## Summary The `addRepeatIntervalToTime` function uses an O(n) loop that advances a date by the task's `RepeatAfter` duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database co

CVE-2026-35597 [MEDIUM] CWE-307 Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout ## Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited brute-force

CVE-2026-40103 [MEDIUM] CWE-836 Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds ### Summary Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only `projects.background` can successfully delete a project background, while a token with only `projects.background_delete` is rejected. This is a scoped-

CVE-2026-35602 [MEDIUM] CWE-770 Vikunja has File Size Limit Bypass via Vikunja Import Vikunja has File Size Limit Bypass via Vikunja Import ## Summary The Vikunja file import endpoint uses the attacker-controlled `Size` field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting `Size` to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximu

CVE-2026-35596 [MEDIUM] CWE-863 Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug ## Summary The `hasAccessToLabel` function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. ## Details The access cont

CVE-2026-35594 [MEDIUM] CWE-613 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade ## Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade ## Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When

CVE-2026-35600 [MEDIUM] CWE-79 Vikunja has HTML Injection via Task Titles in Overdue Email Notifications Vikunja has HTML Injection via Task Titles in Overdue Email Notifications ## Summary Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows `` and `` tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate

CVE-2026-35598 [MEDIUM] CWE-862 Vikunja Missing Authorization on CalDAV Task Read Vikunja Missing Authorization on CalDAV Task Read ## Summary The CalDAV `GetResource` and `GetResourcesByList` methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. ## Details `GetTasksByUIDs` at `pkg/models/tasks.go:

CVE-2026-33680 [HIGH] CWE-285 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation ## Summary The `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypas

CVE-2026-33668 [HIGH] CWE-285 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect ## Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing d

CVE-2026-33678 [HIGH] CWE-639 Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion ## Summary `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in anothe

CVE-2026-33677 [MEDIUM] CWE-200 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API ## Summary The `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth

CVE-2026-33675 [MEDIUM] CWE-918 Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources ## Summary The migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration,

CVE-2026-33700 [MEDIUM] CWE-639 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion ## Summary The `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects

CVE-2026-33676 [MEDIUM] CWE-863 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read ## Summary When the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An aut

CVE-2026-33679 [MEDIUM] CWE-918 Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download ## Summary The `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET reques

CVE-2026-33316 [HIGH] CWE-284 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement ### Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled.