CVE-2026-35595: CWE-269: Improper Privilege Management in go-vikunja vikunja
Vikunja versions prior to 2. 3. 0 contain an improper privilege management vulnerability (CWE-269) related to changing the parent project of a task. The permission check only requires write access on the new parent project, but due to the recursive permission inheritance model, a user with inherited write access can reparent a project under their own hierarchy and gain admin-level permissions on that project. This vulnerability is fixed in version 2. 3. 0.
AI Analysis
Technical Summary
CVE-2026-35595 affects Vikunja, an open-source task management platform, in versions before 2.3.0. The vulnerability arises from the CanUpdate permission check when changing a project's parent. The check only verifies if the user has write access on the new parent project. However, Vikunja uses a recursive common table expression (CTE) to compute permissions up the project hierarchy. When a user with inherited write access from a parent project moves a child project under their own project tree, the permission calculation incorrectly escalates their access to admin level on the moved project. This improper privilege management allows unauthorized privilege escalation. The issue is resolved in Vikunja 2.3.0.
Potential Impact
An attacker with write access inherited from a parent project can escalate their privileges to admin on a child project by reparenting it under their own project tree. This leads to high impact on confidentiality and integrity, as the attacker gains administrative control over the project. Availability impact is low. The CVSS 3.1 score is 8.3 (high severity). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since the vendor advisory does not provide an official patch link or temporary workaround, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.3.0.
CVE-2026-35595: CWE-269: Improper Privilege Management in go-vikunja vikunja
Description
Vikunja versions prior to 2. 3. 0 contain an improper privilege management vulnerability (CWE-269) related to changing the parent project of a task. The permission check only requires write access on the new parent project, but due to the recursive permission inheritance model, a user with inherited write access can reparent a project under their own hierarchy and gain admin-level permissions on that project. This vulnerability is fixed in version 2. 3. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35595 affects Vikunja, an open-source task management platform, in versions before 2.3.0. The vulnerability arises from the CanUpdate permission check when changing a project's parent. The check only verifies if the user has write access on the new parent project. However, Vikunja uses a recursive common table expression (CTE) to compute permissions up the project hierarchy. When a user with inherited write access from a parent project moves a child project under their own project tree, the permission calculation incorrectly escalates their access to admin level on the moved project. This improper privilege management allows unauthorized privilege escalation. The issue is resolved in Vikunja 2.3.0.
Potential Impact
An attacker with write access inherited from a parent project can escalate their privileges to admin on a child project by reparenting it under their own project tree. This leads to high impact on confidentiality and integrity, as the attacker gains administrative control over the project. Availability impact is low. The CVSS 3.1 score is 8.3 (high severity). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since the vendor advisory does not provide an official patch link or temporary workaround, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.3.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T21:25:12.161Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d943121cc7ad14dadcb1ad
Added to database: 4/10/2026, 6:36:02 PM
Last enriched: 4/10/2026, 6:50:45 PM
Last updated: 4/10/2026, 9:15:05 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.