Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Task Data Disclosure
Action: Apply Patch
AI Analysis

Impact

Vikunja’s CalDAV GetResource and GetResourcesByList methods fetch tasks by UID without verifying that the authenticated user has permission on the task’s project. As a result, any authenticated CalDAV user who knows or guesses a task UID can read the full task data from any project on the instance. This class of vulnerability is an authorization bypass that permits disclosure of confidential task information, but it does not provide remote code execution or other higher‑level privileges.

Affected Systems

All instances of the Vikunja open‑source task management platform running a version earlier than 2.3.0 are vulnerable. The issue pertains to the CalDAV interface exposed by the Vikunja service and affects any deployment that accepts authenticated CalDAV connections.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation currently known. Exploitation requires only an authenticated CalDAV client and a valid or guessed task UID, making the attack path simple for an insider or compromised user but not for unauthenticated external actors.

Generated by OpenCVE AI on April 10, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vikunja v2.3.0 or later, where the missing authorization check has been added.

Generated by OpenCVE AI on April 10, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-48ch-p4gq-x46x Vikunja Missing Authorization on CalDAV Task Read
History

Fri, 17 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.
Title Vikunja has Missing Authorization on CalDAV Task Read
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:20:44.249Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35598

cve-icon Vulnrichment

Updated: 2026-04-14T14:20:32.106Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:03.370

Modified: 2026-04-17T21:57:42.097

Link: CVE-2026-35598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:30Z

Weaknesses