Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive CPU usage
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Vikunja’s algorithm for assigning repeat intervals to tasks. An O(n) loop processes each second until a due date is reached, and when a repeating task is set with a 1‑second interval and a start date far in the past, the loop can iterate billions of times. Each iteration consumes CPU cycles and holds a database connection for minutes, effectively saturating the server and causing service interruption. The weakness is identified as a classic algorithmic complexity issue (CWE‑407).

Affected Systems

Any deployment of the open‑source Vikunja task management platform running a version earlier than 2.3.0 is vulnerable. The affected component is the addRepeatIntervalToTime function in the repeating‑task handler.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. Exploitation does not require elevated privileges or a privileged environment; the likely attack vector is the public‑facing API or any interface that accepts user‑supplied repeating‑task data. Attackers can trigger the DoS by submitting a single malicious task, leading to high CPU load and database lock‑up. No evidence suggests it is in the CISA KEV catalog nor is the EPSS score available, but the impact on availability and the ability to exercise the flaw remotely make it a significant risk for users unable to apply the fix promptly.

Generated by OpenCVE AI on April 10, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.3.0 or later immediately.
  • If a rapid upgrade is not possible, restrict the creation of repeating tasks to trusted administrators and avoid 1‑second intervals.
  • Monitor CPU and database connection usage for unusual spikes.
  • Apply any vendor‑issued temporary throttle or rate‑limit rules if available.

Generated by OpenCVE AI on April 10, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r4fg-73rc-hhh7 Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
History

Fri, 17 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
Title Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler
Weaknesses CWE-407
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:28:29.310Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35599

cve-icon Vulnrichment

Updated: 2026-04-10T18:28:17.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:03.520

Modified: 2026-04-17T21:57:24.390

Link: CVE-2026-35599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:29Z

Weaknesses