CVE-2026-35596: CWE-863: Incorrect Authorization in go-vikunja vikunja
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
AI Analysis
Technical Summary
CVE-2026-35596 is an incorrect authorization vulnerability (CWE-863) in the open-source task management platform Vikunja before version 2.3.0. The issue arises from a SQL operator precedence bug in the hasAccessToLabel function, which improperly restricts access to label data. As a result, any authenticated user can read label metadata linked to tasks regardless of their project permissions. The vulnerability exposes label titles, descriptions, colors, and creator information but does not impact integrity or availability. The flaw is resolved in Vikunja 2.3.0.
Potential Impact
The vulnerability allows unauthorized disclosure of label metadata to any authenticated user, potentially exposing sensitive project labeling information. There is no impact on data integrity or availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and no impact on integrity or availability.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this authorization bug is fixed. No other mitigation or temporary workaround is documented. Patch status is confirmed fixed in 2.3.0.
CVE-2026-35596: CWE-863: Incorrect Authorization in go-vikunja vikunja
Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35596 is an incorrect authorization vulnerability (CWE-863) in the open-source task management platform Vikunja before version 2.3.0. The issue arises from a SQL operator precedence bug in the hasAccessToLabel function, which improperly restricts access to label data. As a result, any authenticated user can read label metadata linked to tasks regardless of their project permissions. The vulnerability exposes label titles, descriptions, colors, and creator information but does not impact integrity or availability. The flaw is resolved in Vikunja 2.3.0.
Potential Impact
The vulnerability allows unauthorized disclosure of label metadata to any authenticated user, potentially exposing sensitive project labeling information. There is no impact on data integrity or availability. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality and no impact on integrity or availability.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this authorization bug is fixed. No other mitigation or temporary workaround is documented. Patch status is confirmed fixed in 2.3.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T21:25:12.162Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9d9751cc7ad14da3f8723
Added to database: 4/11/2026, 5:17:41 AM
Last enriched: 4/18/2026, 2:20:51 PM
Last updated: 5/26/2026, 9:00:50 AM
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.