Go-Vikunja Vikunja vulnerabilities

CVE-2026-34727 [HIGH] CWE-287 CVE-2026-34727: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback ha Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vuln

CVE-2026-35595 [HIGH] CWE-269 CVE-2026-35595: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a p

CVE-2026-35597 [MEDIUM] CWE-307 CVE-2026-35597: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-atte Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in p

CVE-2026-35602 [MEDIUM] CWE-770 CVE-2026-35602: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file imp Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compre

CVE-2026-35598 [MEDIUM] CWE-862 CVE-2026-35598: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResour Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any

CVE-2026-35594 [MEDIUM] CWE-613 CVE-2026-35594: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all

CVE-2026-35600 [MEDIUM] CWE-79 CVE-2026-35600: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embe Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows and tags), injected Markdown constructs produce phishing links and

CVE-2026-40103 [MEDIUM] CWE-836 CVE-2026-40103: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token auth

CVE-2026-35596 [MEDIUM] CWE-863 CVE-2026-35596: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This v

CVE-2026-35599 [MEDIUM] CWE-407 CVE-2026-35599: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatInterva Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop i

CVE-2026-35601 [MEDIUM] CWE-93 CVE-2026-35601: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output ge Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar p

CVE-2026-33316 [HIGH] CWE-284 CVE-2026-33316: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vi Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disable

CVE-2026-33678 [HIGH] CWE-639 CVE-2026-33678: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachm Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong t

CVE-2026-33679 [HIGH] CWE-918 CVE-2026-33679: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `Downloa Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja

CVE-2026-33668 [HIGH] CWE-285 CVE-2026-33668: Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user sta

CVE-2026-33474 [MEDIUM] CWE-400 CVE-2026-33474: Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and pr Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version 2.2.0 patches the issue.

CVE-2026-33313 [MEDIUM] CWE-639 CVE-2026-33313: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authentic Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

CVE-2026-33334 [MEDIUM] CWE-94 CVE-2026-33334: Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future

CVE-2026-33676 [MEDIUM] CWE-863 CVE-2026-33676: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vik Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has c

CVE-2026-33315 [MEDIUM] CWE-288 CVE-2026-33315: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav e Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project nam