CVE-2026-40103 Overview
CVE-2026-40103 is an authorization bypass vulnerability in Vikunja, an open-source self-hosted task management platform. Prior to version 2.3.0, Vikunja's scoped API token enforcement for custom project background routes suffers from method confusion. A token with only projects.background scope can successfully delete a project background, while a token with only projects.background_delete scope is incorrectly rejected. This represents a scoped-token authorization bypass that allows users to perform unauthorized actions beyond their token's intended permissions.
Critical Impact
Attackers with limited API token scopes can bypass authorization controls to delete project backgrounds, potentially disrupting project configurations and user workflows.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- April 10, 2026 - CVE-2026-40103 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40103
Vulnerability Analysis
This vulnerability is classified as CWE-836 (Use of Password Hash Instead of Password for Authentication), though the core issue relates to improper scope enforcement in API token validation. The vulnerability exists in how Vikunja validates scoped API tokens against HTTP methods for project background operations.
The method confusion occurs when the API endpoint checks token permissions for background-related operations. Instead of correctly matching the projects.background_delete scope to DELETE operations, the system accepts the broader projects.background scope for deletion actions. This inverts the expected security model where more specific scopes should be required for destructive operations.
The attack can be conducted over the network by any authenticated user possessing a scoped API token, without requiring user interaction. The impact is limited to integrity concerns, as attackers can delete project backgrounds they should not have permission to modify, but cannot read additional data or cause system-wide denial of service.
Root Cause
The root cause lies in method-confused scope validation within Vikunja's API token enforcement logic. The authorization middleware incorrectly maps HTTP DELETE requests on the project background endpoint to the projects.background scope rather than the intended projects.background_delete scope. This allows tokens with read/write permissions to perform delete operations that should require explicit delete permissions.
Attack Vector
The attack vector is network-based, requiring an authenticated attacker with a scoped API token. The exploitation process involves:
- An attacker obtains or creates an API token with projects.background scope (intended for reading/setting backgrounds)
- The attacker sends an HTTP DELETE request to the project background endpoint
- Due to the method confusion bug, the server incorrectly validates the projects.background scope against the DELETE operation
- The project background is deleted despite the attacker lacking projects.background_delete permissions
The vulnerability allows privilege escalation within the scope of background management operations, enabling unauthorized deletion of project customizations.
Detection Methods for CVE-2026-40103
Indicators of Compromise
- Unexpected deletion of project backgrounds without corresponding projects.background_delete scoped token usage
- API audit logs showing DELETE operations on /api/v1/projects/{id}/background endpoints authenticated with non-delete scoped tokens
- User reports of missing project backgrounds that were not intentionally removed
Detection Strategies
- Review API access logs for DELETE requests to project background endpoints and cross-reference with token scopes
- Implement token scope auditing to detect tokens with projects.background scope being used for destructive operations
- Monitor for anomalous patterns of background deletion activity that may indicate exploitation
Monitoring Recommendations
- Enable detailed API request logging including authentication token identifiers and scopes
- Set up alerts for DELETE operations on project background endpoints
- Regularly audit API token permissions and usage patterns across your Vikunja instance
How to Mitigate CVE-2026-40103
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review API tokens with projects.background scope and assess whether they have been misused
- Audit project backgrounds across your instance to identify any unauthorized deletions
- Consider temporarily revoking and reissuing scoped API tokens until the upgrade is complete
Patch Information
Vikunja has addressed this vulnerability in version 2.3.0. The fix corrects the method-to-scope mapping in the API token validation logic, ensuring that DELETE operations on project backgrounds correctly require the projects.background_delete scope.
For technical details, refer to:
- GitHub Security Advisory GHSA-v479-vf79-mg83
- GitHub Commit 6a0f39b
- GitHub Pull Request #2584
- Vikunja v2.3.0 Release
Workarounds
- If immediate upgrade is not possible, temporarily disable or revoke API tokens with broad scopes like projects.background
- Implement network-level access controls to restrict API access to trusted networks only
- Use a reverse proxy to block DELETE requests to project background endpoints for tokens that should not have delete permissions
# Configuration example
# Upgrade Vikunja to patched version
docker pull vikunja/vikunja:2.3.0
docker-compose down && docker-compose up -d
# Or if using binary installation
wget https://github.com/go-vikunja/vikunja/releases/download/v2.3.0/vikunja-linux-amd64
chmod +x vikunja-linux-amd64
systemctl restart vikunja
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
