Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A flaw in Vikunja’s project ownership calculation allows a user with write permission on a project to become an administrator of that project by moving it under a different parent project. The vulnerability stems from a logic error in the permission checking code where only the new parent’s write rights are verified, while the recursive permission lookup incorrectly grants admin rights to the moving user. The result is that an attacker can elevate their privileges to full administrative control over a project, potentially accessing sensitive data or altering project settings.

Affected Systems

Vikunja, a self‑hosted task management platform, is affected when running any version earlier than 2.3.0. The issue is fixed in version 2.3.0 and later releases. All deployments of older versions are susceptible, regardless of hosting environment.

Risk and Exploitability

The vulnerability scores a high severity of 8.3 (CVSS), indicating significant impact. No EPSS or KEV information is available, but the exploit requires only authenticated access with write permission on a target project and the ability to modify its parent_project_id. Because the API is exposed over the network, a remote attacker who can authenticate may exploit this flaw, leading to local privilege escalation within the application context. The attack vector is inferred to be authenticated network access, as the attacker must control or forge the project reparenting request.

Generated by OpenCVE AI on April 10, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.3.0 or newer to apply the fix
  • Restrict or monitor the project reparenting API so that only trusted administrators can perform it
  • Audit access logs for unauthorized project movement activities

Generated by OpenCVE AI on April 10, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2vq4-854f-5c72 Vikunja vulnerable to Privilege Escalation via Project Reparenting
History

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
Title Vikunja Affected by Privilege Escalation via Project Reparenting
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:16:18.230Z

Reserved: 2026-04-03T21:25:12.161Z

Link: CVE-2026-35595

cve-icon Vulnrichment

Updated: 2026-04-10T18:16:14.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:02.910

Modified: 2026-04-17T22:00:13.683

Link: CVE-2026-35595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:01:05Z

Weaknesses