CVE-2026-35601 Overview
CVE-2026-35601 is an iCalendar injection vulnerability in Vikunja, an open-source self-hosted task management platform. The CalDAV output generator in versions prior to 2.3.0 builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters can break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER.
Critical Impact
Authenticated attackers can inject malicious iCalendar properties through crafted task titles, potentially enabling phishing attacks via spoofed organizer information, malicious attachment links, or unwanted alarm notifications for calendar subscribers.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-35601 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35601
Vulnerability Analysis
This vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences). The flaw exists in Vikunja's CalDAV output generator, which constructs iCalendar VTODO entries by directly concatenating user-supplied task titles without proper escaping as required by RFC 5545.
The iCalendar format (RFC 5545) defines specific escape sequences for TEXT values. Special characters including backslashes, semicolons, commas, and critically CRLF sequences must be properly escaped. When the CalDAV generator fails to sanitize task titles, an attacker can inject newline characters that terminate the current property and introduce arbitrary iCalendar components.
This injection technique enables several attack scenarios: spoofing the ORGANIZER property to impersonate other users in phishing attacks, injecting malicious ATTACH URLs that calendar clients may automatically fetch, or adding VALARM components that generate intrusive notifications for all calendar subscribers.
Root Cause
The root cause is the absence of RFC 5545 TEXT value escaping in the CalDAV output generator. When building VTODO entries, the application concatenates user-controlled task title strings directly into the iCalendar output without sanitizing or escaping CRLF sequences (\r\n). This allows property boundary injection, enabling attackers to insert additional iCalendar properties or components.
Attack Vector
The attack requires network access and low-privileged authenticated access to the Vikunja instance. An attacker creates or modifies a task with a specially crafted title containing CRLF sequences followed by malicious iCalendar properties. When other users subscribe to the affected calendar via CalDAV, the injected properties are processed by their calendar clients.
The vulnerability mechanism involves crafting task titles with embedded CRLF sequences. When the CalDAV generator outputs the task as a VTODO entry, the CRLF breaks the property boundary, and subsequent content is interpreted as new iCalendar properties. For example, a task title containing CRLF followed by ORGANIZER:mailto:attacker@evil.com would inject a spoofed organizer property into the calendar output.
For detailed technical information, see the GitHub Security Advisory GHSA-2g7h-7rqr-9p4r.
Detection Methods for CVE-2026-35601
Indicators of Compromise
- Task titles containing CRLF character sequences (\r\n or %0d%0a)
- CalDAV output containing unexpected iCalendar properties such as ORGANIZER, ATTACH, or VALARM that don't correlate with legitimate task data
- Calendar subscription errors or anomalies reported by users
Detection Strategies
- Implement input validation monitoring to detect CRLF sequences in task title fields
- Review CalDAV access logs for unusual patterns or requests following task creation/modification
- Monitor for user reports of unexpected calendar notifications or suspicious organizer information
Monitoring Recommendations
- Enable logging for CalDAV endpoint access and task modification events
- Configure alerts for task titles containing control characters or CRLF sequences
- Audit calendar exports periodically for malformed or injected iCalendar properties
How to Mitigate CVE-2026-35601
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review existing task titles for potentially malicious content containing CRLF sequences
- Audit CalDAV subscriber access and notify users who may have synced potentially compromised calendars
Patch Information
The vulnerability is fixed in Vikunja version 2.3.0. The patch implements proper RFC 5545 TEXT value escaping for user-controlled content in the CalDAV output generator. Organizations should upgrade to this version or later as soon as possible.
For patch details, see the GitHub Pull Request #2580 and download the fixed version from the GitHub Release v2.3.0.
Workarounds
- If immediate upgrade is not possible, consider temporarily disabling CalDAV access until the patch can be applied
- Implement input sanitization at the web application firewall level to strip CRLF sequences from task title inputs
- Restrict CalDAV access to trusted internal users only until the vulnerability is patched
# Upgrade Vikunja to patched version
# Using Docker (recommended approach):
docker pull vikunja/vikunja:2.3.0
docker stop vikunja
docker rm vikunja
docker run -d --name vikunja vikunja/vikunja:2.3.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
