EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Vikunja, an open-source self-hosted task management platform. Affected software includes the go/code.vikunja.io/api package, with versions 2.2.2 and earlier being impacted. The vulnerabilities involve privilege escalation via project reparenting and TOTP two-factor authentication bypass via OIDC login path. These vulnerabilities pose a significant risk to organizations using Vikunja, as they can be exploited to escalate privileges, bypass security measures, and gain unauthorized access to sensitive information. Business risk and impact are substantial, as these vulnerabilities can lead to data breaches, unauthorized access, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Vikunja, an open-source self-hosted task management platform. Affected software includes the go/code.vikunja.io/api package, with versions 2.2.2 and earlier being impacted. The vulnerabilities involve privilege escalation via project reparenting and TOTP two-factor authentication bypass via OIDC login path. These vulnerabilities pose a significant risk to organizations using Vikunja, as they can be exploited to escalate privileges, bypass security measures, and gain unauthorized access to sensitive information. Business risk and impact are substantial, as these vulnerabilities can lead to data breaches, unauthorized access, and reputational damage.[emaillocker id="1283"]
CVE-2026-35595 with a CVSS score of 8.3 – A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users' access.
CVE-2026-34727 with a CVSS score of 7.4 – The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped.
The exploitation of these vulnerabilities poses a significant risk to organizations using Vikunja, including data breaches, unauthorized access, and reputational damage. Urgency is high, as these vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive information. Business consequences include data breaches, financial losses, and reputational damage.
RECOMMENDATION:
We recommend you to update Vikunja to version 2.3.0.
REFERENCES:
The following
reports contain further technical details:
https://github.com/advisories/GHSA-2vq4-854f-5c72
https://github.com/advisories/GHSA-8jvc-mcx6-r4cg