Vikunja is an open-source, self-hosted task management platform that uses an Electron wrapper for its desktop client. In versions from 0.21.0 up to but excluding 2.2.0, the Electron wrapper improperly handles URLs passed to window.open() by forwarding them directly to Electron's shell.openExternal() method without any validation or protocol allowlisting. This means that any URL, including those with custom URI schemes, can be opened by the underlying operating system. An attacker who can inject user-generated content containing links that open in new windows (e.g., links with target="_blank" or those triggering window.open) can exploit this behavior to cause the victim's system to launch arbitrary applications, open local files, or trigger other custom protocol handlers. This improper authorization and lack of validation corresponds to CWE-939 (Improper Authorization in Handler for Custom URL Scheme). The vulnerability does not require authentication but does require user interaction to activate the malicious link. The CVSS 4.0 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and a high scope impact. The issue was patched in Vikunja version 2.2.0 by presumably adding validation or allowlisting of protocols before passing URLs to shell.openExternal(). No known exploits have been reported in the wild as of the publication date.

This vulnerability can lead to significant security risks for organizations using affected versions of Vikunja Desktop. By exploiting this flaw, attackers can cause victims' operating systems to open arbitrary URI schemes, which may launch local applications, open sensitive local files, or trigger other custom protocol handlers. This can result in unauthorized actions such as executing malicious code, leaking sensitive information, or triggering unintended behaviors on the victim's machine. Since Vikunja is often used for task and project management, attackers might leverage this to target employees or collaborators by embedding malicious links in shared content. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments where users frequently interact with shared or untrusted content. The vulnerability affects confidentiality and integrity primarily through potential local application invocation and file access, and could also impact availability if destructive actions are triggered. Organizations relying on Vikunja Desktop without patching may expose their users to targeted attacks, especially in environments with less security awareness or where custom URI handlers are prevalent.

Organizations should upgrade all Vikunja Desktop clients to version 2.2.0 or later, where this vulnerability is patched. Until upgrades can be performed, administrators should restrict or monitor user-generated content that can include links with target="_blank" or that trigger window.open, especially from untrusted sources. Implementing content sanitization or filtering to remove or neutralize such links can reduce risk. Users should be educated to avoid clicking suspicious links within Vikunja content. Additionally, organizations can configure endpoint protection solutions to monitor and block suspicious invocations of custom URI schemes or unexpected local application launches triggered by the Electron app. Network-level controls can also be employed to restrict access to known malicious domains or URLs. Finally, developers maintaining forks or custom versions of Vikunja should implement strict validation and allowlisting of protocols passed to shell.openExternal() to prevent similar issues.