CVE-2026-35595

HIGH 8.3

Vikunja Affected by Privilege Escalation via Project Reparenting

CVSS Score

8.3

EPSS Score

0.0%

EPSS Percentile

0th

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.

CWE	CWE-269
Vendor	go-vikunja
Product	vikunja
Published	Apr 10, 2026
Last Updated	Apr 10, 2026

Stay Ahead of the Next One

Get instant alerts for go-vikunja vikunja

Be the first to know when new high vulnerabilities affecting go-vikunja vikunja are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Affected Versions

go-vikunja / vikunja

< 2.3.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72 github.com: https://github.com/go-vikunja/vikunja/pull/2583 github.com: https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827 github.com: https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0