Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.
Published: 2026-04-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of Project Backgrounds
Action: Patch
AI Analysis

Impact

Vikunja, an open‑source self‑hosted task management platform, suffered a scoped‑token authorization bypass due to method‑confusion in the custom project background API routes. A token granted the projects.background scope could delete a project background, while a token with the dedicated projects.background_delete scope was correctly rejected. This demonstrates CWE‑836 (Authorization Bypass Through ID Manipulation) and allows an attacker to tamper with project visuals, compromising data integrity without affecting confidentiality or availability.

Affected Systems

The vulnerability impacts all installations of the go‑vikunja:vikunja product running a version earlier than 2.3.0. The fix was released in the 2.3.0 release; therefore any deployment using an earlier version remains vulnerable until it is upgraded.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. No EPSS score was provided and the vulnerability is not listed in CISA's KEV catalog. The attack requires only an API token possessing the projects.background scope and the ability to send a standard HTTP request to the background deletion endpoint, making exploitation straightforward for any user who can obtain such a token.

Generated by OpenCVE AI on April 10, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.3.0 or later to apply the patch that corrects the scoped‑token enforcement for project background deletion.
  • Verify that your API tokens use the correct scopes: tokens with only projects.background should not have any deletion privileges.
  • If an immediate upgrade is not possible, revoke or delete any tokens that contain the projects.background scope to prevent unauthorized deletion until a patch can be applied.

Generated by OpenCVE AI on April 10, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v479-vf79-mg83 Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
History

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.
Title Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds
Weaknesses CWE-836
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:45:18.303Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40103

cve-icon Vulnrichment

Updated: 2026-04-15T14:45:14.173Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:13.143

Modified: 2026-06-17T10:44:43.643

Link: CVE-2026-40103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:25Z

Weaknesses
  • CWE-836

    Use of Password Hash Instead of Password for Authentication