HIGH🇬🇧 English

CVE-2026-35595

CVSS 8.3v3.1pub. 2026-04-10upd. 2026-04-17

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
  • Vikunja

    APP
    Vikunja
    < 2.3.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-28268CRITICAL9.8PL ✓ten sam produkt

Vikunja: wielokrotne użycie tokenu resetowania hasła — przejęcie konta

CVE-2026-27575CRITICAL9.1PL ✓ten sam produkt

Vikunja: słabe hasła i brak unieważniania sesji po zmianie hasła

CVE-2026-34727HIGH7.4ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issu...

CVE-2026-33316HIGH8.1ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s pa...

CVE-2026-33668HIGH7.1ten sam produkt

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to versio...