CVE-2026-35602 - Vulnerability Details

- Vikunja has a File Size Limit Bypass via Vikunja Import

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.

Published: 2026-04-10

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vikunja’s import endpoint enforced a maximum file size based on the Size value supplied in a zip file’s JSON metadata. An attacker can set this field to 0 while including a large compressed file inside the archive, causing the server to accept the upload and store the large file, thereby bypassing the configured limit. This can consume significant disk or memory resources and lead to service denial. The weakness is an example of resource exhaustion, classified as CWE‑770.

Affected Systems

All versions of the Vikunja application released before v2.3.0 are affected, regardless of operating system or deployment environment. The fix was introduced in v2.3.0 and later releases, eliminating the bypass.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable via the HTTP import API. It is inferred that this API requires authentication, though this is not explicitly stated. If an authenticated user can submit an import, the attack can be performed without additional conditions, raising risk in systems where import privileges are widely granted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

go-vikunja

vikunja

affected

Version	Status	Constraints
`< 2.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Go-vikunja

Vikunja

100%

Version	Status	Scheme	Platform
`[0,2.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Vikunja v2.3.0 or later.
After upgrading, test the file size enforcement by attempting to upload a file larger than the configured limit.
Restrict the import functionality to trusted users or limit the number of import operations per user.
If a patch cannot be applied immediately, temporarily disable import capabilities or monitor import activity closely.

Generated by OpenCVE AI on April 10, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qh78-rvg3-cv54	Vikunja has File Size Limit Bypass via Vikunja Import

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/go-vikunja/vikunja/pull/2575
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54

History

Fri, 17 Apr 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vikunja Vikunja vikunja
CPEs		cpe:2.3:a:vikunja:vikunja::::::::
Vendors & Products		Vikunja Vikunja vikunja

Tue, 14 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go-vikunja Go-vikunja vikunja
Vendors & Products		Go-vikunja Go-vikunja vikunja

Fri, 10 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.
Title		Vikunja has a File Size Limit Bypass via Vikunja Import
Weaknesses		CWE-770
References		https://github.com/go-vikunja/vikunja/pull/2575 https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Go-vikunja Vikunja

Vikunja Vikunja

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-10T16:10:39.630Z

Updated: 2026-04-14T14:19:30.140Z

Reserved: 2026-04-03T21:25:12.162Z

Link: CVE-2026-35602

Vulnrichment

Updated: 2026-04-14T14:19:17.017Z

NVD

Status : Analyzed

Published: 2026-04-10T17:17:03.993

Modified: 2026-04-17T21:49:40.743

Link: CVE-2026-35602

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:00:26Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object