CVE-2026-35595
HIGHVikunja Affected by Privilege Escalation via Project Reparenting
Title source: cnaDescription
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/pull/2583
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
Scores
CVSS v3
8.3
EPSS
0.0028
EPSS Percentile
19.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (3)
code.vikunja.io/api
0 - 2.3.0Go
go-vikunja/vikunja
< 2.3.0
vikunja/vikunja
< 2.3.0
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026