Scoped API Token Bypass in Vikunja Task Management Platform
CVE-2026-40103

4.3MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-40103?

Vikunja, a self-hosted task management platform, has a vulnerability in its API token enforcement mechanism affecting versions before 2.3.0. This vulnerability allows an attacker to leverage a scoped API token with permissions for 'projects.background' to delete project backgrounds, even though they should lack the necessary permissions associated with 'projects.background_delete'. The issue has been addressed in version 2.3.0, which strengthens the authentication checks. Users are encouraged to update to the latest version to mitigate this security risk.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2584
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/6a0f39b252a8...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.