CVE-2026-35598 Overview
CVE-2026-35598 is a Broken Access Control vulnerability in Vikunja, an open-source self-hosted task management platform. Prior to version 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. This allows any authenticated CalDAV user who knows (or guesses) a task UID to read the full task data from any project on the instance.
Critical Impact
Authenticated users can bypass project-level access controls to read sensitive task data from any project on the Vikunja instance, potentially exposing confidential information across organizational boundaries.
Affected Products
- Vikunja versions prior to 2.3.0
- Vikunja CalDAV API endpoints
- Self-hosted Vikunja instances with CalDAV enabled
Discovery Timeline
- April 10, 2026 - CVE-2026-35598 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35598
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a common weakness where the application fails to perform proper authorization checks before granting access to protected resources. In this case, the CalDAV implementation in Vikunja does not validate whether the requesting user has legitimate access to the project containing the requested task.
The flaw exists in the task retrieval logic where authorization checks are bypassed entirely. When a CalDAV request is made to retrieve a task by its UID, the application directly queries the database and returns the task data without verifying project membership or access permissions. This represents a horizontal privilege escalation scenario where users at the same privilege level can access each other's data.
Root Cause
The root cause is a missing authorization check in the CalDAV GetResource and GetResourcesByList methods. These functions query tasks directly by their UID identifier without implementing proper access control validation. The authentication mechanism confirms the user's identity, but the authorization layer fails to verify whether that authenticated user should have access to the specific task being requested.
Attack Vector
The attack requires network access and low-privilege authenticated access to the Vikunja instance with CalDAV capabilities. An attacker would need to:
- Obtain valid authentication credentials for the Vikunja instance
- Know or enumerate task UIDs (which may follow predictable patterns)
- Send CalDAV requests directly referencing those task UIDs
The vulnerability can be exploited by crafting CalDAV requests that reference task UIDs belonging to other users' projects. Since task UIDs are often based on predictable formats or can be discovered through other means, an attacker can systematically enumerate and retrieve task data from across the entire instance.
Detection Methods for CVE-2026-35598
Indicators of Compromise
- Unusual CalDAV API access patterns from authenticated users
- High volume of GetResource or GetResourcesByList requests targeting diverse task UIDs
- Users accessing task data from projects they are not members of
- Sequential or enumerated task UID requests in CalDAV logs
Detection Strategies
- Monitor CalDAV API endpoints for abnormal request patterns
- Implement alerting on access attempts to tasks outside a user's authorized projects
- Review web server and application logs for CalDAV requests with unusual UID patterns
- Deploy application-level logging to track authorization decision outcomes
Monitoring Recommendations
- Enable detailed logging for CalDAV API endpoints in Vikunja
- Configure SIEM rules to detect enumeration patterns in CalDAV requests
- Implement user behavior analytics to identify anomalous data access
- Monitor for bulk data extraction indicators through CalDAV channels
How to Mitigate CVE-2026-35598
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Audit CalDAV access logs for potential exploitation prior to patching
- Review which users have CalDAV access enabled and restrict if not required
- Consider temporarily disabling CalDAV functionality until the patch is applied
Patch Information
Vikunja version 2.3.0 addresses this vulnerability by implementing proper authorization checks in the CalDAV resource retrieval methods. The fix ensures that task access requests are validated against the user's project permissions before returning any data.
The security fix is available through:
For additional details, see the GitHub Security Advisory GHSA-48ch-p4gq-x46x.
Workarounds
- Disable CalDAV access for users who do not require it as a temporary measure
- Implement network-level access controls to restrict CalDAV endpoint access
- Deploy a reverse proxy with additional authorization checks for CalDAV requests
- Monitor and audit all CalDAV access until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
