CVE-2026-35596

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.

Vulnerability Details

Published Date

April 10, 2026

Last Modified

April 13, 2026

CWE ID

CWE-863

Source

NVD

Vendor

go-vikunja

Product

vikunja

External References

https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1
https://github.com/go-vikunja/vikunja/pull/2578
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq

CVE-2026-35596

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment