SQL Operator Precedence Bug in Vikunja Affects Task Management Capabilities
CVE-2026-35596

4.3MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35596?

The Vikunja task management platform contains a SQL operator precedence issue in the hasAccessToLabel function, which permits authenticated users to access sensitive label details linked to tasks. This flaw reveals critical information including label titles, descriptions, and creator details, regardless of the user's project permissions. Users should upgrade to version 2.3.0 or later to address this vulnerability and secure their instances against unauthorized data access.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2578
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/fc216c38afaa...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.