Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access due to stale JWT tokens
Action: Immediate Patch
AI Analysis

Impact

Vikunja, an open‑source task management platform, issued JSON Web Tokens (JWTs) for link sharing that were created solely from the JWT claims without any server‑side verification of the share’s current status. When a project owner deleted a share or lowered its permissions, the tokens that had already been handed out continued to grant the original level of access for the full 72‑hour default token lifetime, allowing an attacker or an inadvertently privileged user to view, edit, or otherwise interact with data that should have been inaccessible. The effect is a breach of confidentiality and integrity for the resources linked via the share. The weakness is classified as CWE‑613 (Failure to Validate The Scope of Access).

Affected Systems

The vulnerability affects the Vikunja task management platform, version 2.2.x and older – any deployment running a release prior to 2.3.0 is susceptible. As Vikunja is typically self‑hosted, operators of any instance using the affected code are impacted, regardless of the hosting environment.

Risk and Exploitability

The CVSS score of 6.5 places the issue in the medium severity range, and the lack of an EPSS score indicates no publicly available data on exploit frequency. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the vulnerability is triggered by the continued validity of already issued JWTs, an attacker could exploit it by merely retrieving a previously distributed link share URL or by capturing a token in transit. The likely attack vector is over the network via the share link, and the prerequisite is possession of an existing JWT that was issued before the share was revoked or its permissions altered.

Generated by OpenCVE AI on April 10, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.3.0 or later, which implements validation of link share status before issuing tokens.
  • Re‑generate link shares after revocation or permission changes; existing tokens remain valid for a maximum of 72 hours, so plan to replace them promptly.
  • Monitor access logs for unusual activity on previously revoked or downgraded shares to detect any exploitation.

Generated by OpenCVE AI on April 10, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96q5-xm3p-7m84 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
History

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.
Title Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:32:15.339Z

Reserved: 2026-04-03T21:25:12.161Z

Link: CVE-2026-35594

cve-icon Vulnrichment

Updated: 2026-04-14T14:32:05.418Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:32.000

Modified: 2026-04-24T14:53:24.230

Link: CVE-2026-35594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:01:06Z

Weaknesses