CVE-2026-35595: CWE-269: Improper Privilege Management in go-vikunja vikunja
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
AI Analysis
Technical Summary
CVE-2026-35595 affects Vikunja, an open-source task management platform, in versions before 2.3.0. The vulnerability arises from the CanUpdate permission check when changing a project's parent. The check only verifies if the user has write access on the new parent project. However, Vikunja uses a recursive common table expression (CTE) to compute permissions up the project hierarchy. When a user with inherited write access from a parent project moves a child project under their own project tree, the permission calculation incorrectly escalates their access to admin level on the moved project. This improper privilege management allows unauthorized privilege escalation. The issue is resolved in Vikunja 2.3.0.
Potential Impact
An attacker with write access inherited from a parent project can escalate their privileges to admin on a child project by reparenting it under their own project tree. This leads to high impact on confidentiality and integrity, as the attacker gains administrative control over the project. Availability impact is low. The CVSS 3.1 score is 8.3 (high severity). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since the vendor advisory does not provide an official patch link or temporary workaround, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.3.0.
CVE-2026-35595: CWE-269: Improper Privilege Management in go-vikunja vikunja
Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35595 affects Vikunja, an open-source task management platform, in versions before 2.3.0. The vulnerability arises from the CanUpdate permission check when changing a project's parent. The check only verifies if the user has write access on the new parent project. However, Vikunja uses a recursive common table expression (CTE) to compute permissions up the project hierarchy. When a user with inherited write access from a parent project moves a child project under their own project tree, the permission calculation incorrectly escalates their access to admin level on the moved project. This improper privilege management allows unauthorized privilege escalation. The issue is resolved in Vikunja 2.3.0.
Potential Impact
An attacker with write access inherited from a parent project can escalate their privileges to admin on a child project by reparenting it under their own project tree. This leads to high impact on confidentiality and integrity, as the attacker gains administrative control over the project. Availability impact is low. The CVSS 3.1 score is 8.3 (high severity). There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since the vendor advisory does not provide an official patch link or temporary workaround, applying the official update is the recommended remediation. Patch status is confirmed fixed in version 2.3.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T21:25:12.161Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d943121cc7ad14dadcb1ad
Added to database: 4/10/2026, 6:36:02 PM
Last enriched: 4/10/2026, 6:50:45 PM
Last updated: 5/26/2026, 7:56:08 AM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.