CVE-2026-35596 Overview
CVE-2026-35596 is an authorization bypass vulnerability affecting Vikunja, an open-source self-hosted task management platform. The vulnerability exists in the hasAccessToLabel function, which contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. This flaw exposes sensitive information including label titles, descriptions, colors, and creator information to unauthorized users.
Critical Impact
Any authenticated user can bypass access controls and read label information from projects they should not have access to, potentially exposing sensitive organizational data and project structures.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-35596 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35596
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization). The flaw resides in the hasAccessToLabel function within Vikunja's codebase. Due to improper SQL operator precedence handling, the authorization check fails to properly restrict label access based on project permissions.
When a user queries for labels, the underlying SQL query does not correctly evaluate the logical conditions that should enforce project-based access controls. This allows any authenticated user to enumerate and retrieve label metadata from any project where labels are associated with at least one task, even if the user has no legitimate access to that project.
The information exposed through this vulnerability includes label titles, descriptions, colors, and creator information, which could reveal sensitive project categorization schemes, workflow details, or organizational structure to unauthorized parties.
Root Cause
The root cause is a SQL operator precedence bug in the hasAccessToLabel function. In SQL, logical operators have a defined precedence order (AND is evaluated before OR). When complex boolean expressions are constructed without proper parenthesization, the query may not enforce the intended access control logic.
The vulnerable code path likely combines multiple conditions using AND and OR operators without proper grouping, causing the authorization check to be bypassed when certain conditions are met. The fix in version 2.3.0 addresses this by correcting the operator precedence in the SQL query construction.
Attack Vector
The attack is network-based and requires authentication. An attacker with a valid user account on a Vikunja instance can exploit this vulnerability by making API requests to enumerate labels. The attack does not require any special privileges beyond basic authentication, and no user interaction is needed.
The exploitation is straightforward:
- An attacker authenticates to the Vikunja platform with any valid user credentials
- The attacker makes API requests to retrieve label information
- Due to the SQL operator precedence bug, the authorization check incorrectly allows access
- The attacker receives label data from projects they should not have access to
For technical details on the vulnerability and fix, see the GitHub Security Advisory and the associated pull request.
Detection Methods for CVE-2026-35596
Indicators of Compromise
- Unusual API requests to label endpoints from users with limited project access
- Pattern of label enumeration requests across multiple projects from a single user session
- Access log entries showing label retrieval for projects where the authenticated user lacks membership
Detection Strategies
- Monitor API access logs for label endpoint requests that return data from projects the user is not a member of
- Implement anomaly detection for users accessing labels across an unusually high number of projects
- Review authentication logs for accounts performing bulk label enumeration activities
- Cross-reference label access patterns with project membership records to identify unauthorized access
Monitoring Recommendations
- Enable detailed API logging for all label-related endpoints
- Configure alerts for failed authorization attempts that subsequently succeed (indicating potential bypass)
- Regularly audit user access patterns to identify anomalous label retrieval behavior
- Monitor for automated or scripted access patterns targeting label APIs
How to Mitigate CVE-2026-35596
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review API access logs for any evidence of exploitation prior to patching
- Audit sensitive labels that may have been exposed to unauthorized users
- Consider rotating or updating any sensitive information that was previously stored in label metadata
Patch Information
The vulnerability is fixed in Vikunja version 2.3.0. The patch is available through the official release:
The fix corrects the SQL operator precedence in the hasAccessToLabel function to properly enforce project-based access controls.
Workarounds
- Restrict network access to the Vikunja instance to trusted users only until the patch can be applied
- Implement additional network-level access controls or API gateway rules to limit label endpoint access
- Avoid storing sensitive information in label titles, descriptions, or metadata until the upgrade is complete
- Monitor and audit label access patterns closely as a compensating control
# Upgrade Vikunja to patched version
# Using Docker (recommended method)
docker pull vikunja/vikunja:2.3.0
docker stop vikunja
docker rm vikunja
docker run -d --name vikunja -p 3456:3456 vikunja/vikunja:2.3.0
# Verify the installed version
docker exec vikunja vikunja version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
