CVE-2026-35599 Overview
CVE-2026-35599 is an algorithmic complexity vulnerability affecting Vikunja, an open-source self-hosted task management platform. Prior to version 2.3.0, the addRepeatIntervalToTime function contains an inefficient O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker can trigger billions of loop iterations, consuming CPU resources and holding database connections for extended periods per request.
Critical Impact
Authenticated attackers can cause significant service degradation or denial of service by exhausting server CPU resources and database connection pools through specially crafted repeating task requests.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- 2026-04-10 - CVE-2026-35599 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35599
Vulnerability Analysis
This vulnerability is classified under CWE-407 (Inefficient Algorithmic Complexity), which describes flaws where an algorithm's performance degrades dramatically based on input characteristics. The addRepeatIntervalToTime function in Vikunja's task scheduling logic implements a naive iterative approach to calculate the next occurrence of a repeating task. Rather than using mathematical computation to determine the target date directly, the function repeatedly adds the repeat interval to the task's due date until it exceeds the current system time.
When an attacker creates a task with a minimal repeat interval (1 second) combined with a due date set far in the past (potentially years), the function must iterate through an enormous number of cycles. For example, a due date set 10 years in the past would require approximately 315 million iterations. Each iteration consumes CPU cycles and, critically, maintains an active database connection throughout the operation.
Root Cause
The root cause lies in the algorithmic design of the addRepeatIntervalToTime function. Instead of calculating the number of intervals needed and jumping directly to the target date using arithmetic, the implementation uses a simple loop that increments the date one interval at a time. This creates a linear time complexity where execution time scales directly with the number of intervals between the original due date and the current time.
Attack Vector
The attack is network-accessible and requires low-privilege authentication to the Vikunja platform. An authenticated user can exploit this vulnerability by creating or modifying a repeating task with the following characteristics:
- A RepeatAfter interval set to the minimum value (1 second)
- A due date configured far in the past (months or years ago)
When the server processes this task to calculate the next occurrence, it becomes trapped in the inefficient loop. Multiple concurrent malicious requests can exhaust the server's thread pool, database connection pool, and CPU resources, effectively denying service to legitimate users.
The vulnerability does not require any special permissions beyond basic task creation capabilities, making it accessible to any authenticated user of the platform.
Detection Methods for CVE-2026-35599
Indicators of Compromise
- Abnormally high CPU utilization on servers hosting Vikunja instances
- Database connection pool exhaustion or connection timeout errors
- Task creation or modification requests with unusually old due dates combined with small repeat intervals
- Server response times degrading significantly for task-related API endpoints
- Log entries showing long-running database transactions or connection holds
Detection Strategies
- Monitor API requests for task creation/modification with RepeatAfter values of 1 second or similarly small intervals combined with due dates more than several months in the past
- Implement alerting on sustained high CPU usage patterns on Vikunja application servers
- Track database connection pool utilization and alert on persistent high usage or pool exhaustion
- Analyze application logs for unusually long request processing times on task-related endpoints
Monitoring Recommendations
- Deploy application performance monitoring (APM) to track request latency distributions and identify outlier requests
- Configure database connection pool monitoring with alerts for connection starvation conditions
- Implement rate limiting on task creation and modification endpoints as a defensive measure
- Enable detailed request logging to capture task parameters for forensic analysis
How to Mitigate CVE-2026-35599
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review existing tasks for suspicious configurations with minimal repeat intervals and past due dates
- Consider implementing request timeout limits at the reverse proxy or load balancer level as a temporary protective measure
- Monitor server resources closely for signs of exploitation attempts
Patch Information
The vulnerability has been addressed in Vikunja version 2.3.0. The fix is available through the official release and can be referenced via the following resources:
- GitHub Security Advisory GHSA-r4fg-73rc-hhh7
- GitHub Pull Request #2577
- GitHub Commit 6df0d6c
- Vikunja v2.3.0 Release
The patch replaces the iterative loop with an efficient calculation that directly computes the target date, eliminating the algorithmic complexity vulnerability.
Workarounds
- Implement request timeouts at the application gateway or reverse proxy level to terminate long-running requests (e.g., 30-60 second limits)
- Add input validation rules to reject tasks with repeat intervals below a reasonable threshold (e.g., minimum 60 seconds)
- Configure database connection timeouts to prevent indefinite connection holds
- Deploy rate limiting on task-related API endpoints to limit the frequency of task creation and modification requests
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
