Permission Inheritance Weakness in Vikunja Task Management Platform
CVE-2026-35595

8.3HIGH

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35595?

Vikunja, an open-source task management platform, contains a permission inheritance flaw prior to version 2.3.0. This vulnerability arises from the CanUpdate check in the permission model, which inadequately verifies permissions when a user changes the parent project for a project. The recursive permission traversal ensures that when a project is reparented, the permissions can inadvertently grant a user elevated access to the moved project. Specifically, a user inheriting Write permissions from a parent project could be escalated to Admin status upon changing the project hierarchy. This issue puts the integrity of project permissions at risk, and it is crucial for users to upgrade to version 2.3.0 where this vulnerability is addressed.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2583
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/c03d682f48af...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.