Authorization Flaw in Vikunja Task Management Platform by Vikunja
CVE-2026-35594
6.5MEDIUM
What is CVE-2026-35594?
Vikunja is an open-source self-hosted task management platform that suffers from an authorization flaw in its link sharing functionality. Prior to version 2.3.0, Vikunja constructed authorization objects solely from JWT claims without adequate server-side database validation. As a result, if a project owner deleted a link share or reduced its permissions, previously issued JWTs retained their original permissions for up to 72 hours, posing a significant security risk. This vulnerability highlights the necessity for robust validation processes and has been addressed in version 2.3.0.
Affected Version(s)
vikunja < 2.3.0