The vulnerability in Vikunja's hasAccessToLabel function arises from a SQL operator precedence bug. An attacker who is authenticated can craft requests that bypass project‑level checks and retrieve any label associated with at least one task. The exposed data includes the label’s title, description, color, and creator identity. This leak compromises confidentiality of organizational metadata and represents a broken access control flaw (CWE‑863). It does not lead to code execution or denial of service, but it allows unauthorized disclosure of sensitive information.

Affected deployments are those running Vikunja before version 2.3.0, the open‑source self‑hosted task management platform maintained by go‑vikunja. No other vendors are listed in this advisory. Users operating any version older than 2.3.0 are impacted.

The CVSS score of 4.3 points to low severity, and no EPSS score is available, so the likelihood of exploitation is uncertain. The vulnerability is not included in the CISA KEV catalog. Exploitation requires only authenticated access to the application; no special conditions are needed. While the impact is restricted to confidential label data, the ease of exploitation means the risk is moderate but not critical. Administrators should apply the 2.3.0 patch promptly to eliminate the flaw.