CVE-2026-35596: CWE-863: Incorrect Authorization in go-vikunja vikunja
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
AI Analysis
Technical Summary
CVE-2026-35596 is an incorrect authorization vulnerability (CWE-863) in the open-source task management platform vikunja. The flaw exists in the hasAccessToLabel function where a SQL operator precedence bug improperly restricts access, enabling any authenticated user to access labels linked to tasks without proper project permissions. This results in unauthorized disclosure of label metadata. The vulnerability affects all versions prior to 2.3.0 and has a CVSS 3.1 base score of 4.3 (medium severity).
Potential Impact
The vulnerability allows unauthorized disclosure of label information (titles, descriptions, colors, and creator details) to any authenticated user, even if they lack access to the associated project. There is no impact on data integrity or availability reported. No known exploits in the wild have been identified.
Mitigation Recommendations
Upgrade to vikunja version 2.3.0 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. No other mitigation or temporary fix is indicated.
CVE-2026-35596: CWE-863: Incorrect Authorization in go-vikunja vikunja
Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35596 is an incorrect authorization vulnerability (CWE-863) in the open-source task management platform vikunja. The flaw exists in the hasAccessToLabel function where a SQL operator precedence bug improperly restricts access, enabling any authenticated user to access labels linked to tasks without proper project permissions. This results in unauthorized disclosure of label metadata. The vulnerability affects all versions prior to 2.3.0 and has a CVSS 3.1 base score of 4.3 (medium severity).
Potential Impact
The vulnerability allows unauthorized disclosure of label information (titles, descriptions, colors, and creator details) to any authenticated user, even if they lack access to the associated project. There is no impact on data integrity or availability reported. No known exploits in the wild have been identified.
Mitigation Recommendations
Upgrade to vikunja version 2.3.0 or later, where this vulnerability is fixed. Since the vendor has released a fixed version, applying this official update is the recommended remediation. No other mitigation or temporary fix is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T21:25:12.162Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9d9751cc7ad14da3f8723
Added to database: 4/11/2026, 5:17:41 AM
Last enriched: 4/11/2026, 5:19:21 AM
Last updated: 4/11/2026, 3:54:06 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.