Scan free
HIGHCVE-2026-35595CVSS 8.3

CVE-2026-35595: Privilege Escalation in Vikunja API

Platform

go

Component

code.vikunja.io/api

Fixed in

2.3.1

2.3.0

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-35595 describes a Privilege Escalation vulnerability discovered in the Vikunja API, specifically within the project reparenting functionality. This flaw allows an attacker to potentially elevate their privileges, leading to unauthorized access and control. The vulnerability impacts versions of Vikunja API prior to v2.3.0. A fix is available in version 2.3.0.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

Successful exploitation of CVE-2026-35595 could allow an attacker to gain elevated privileges within the Vikunja system. This could manifest as the ability to modify or delete data belonging to other users, bypass access controls, or even gain administrative access. The blast radius of this vulnerability depends on the level of access gained; a successful attack could compromise the entire Vikunja instance and the data it contains. While no specific real-world exploitation has been publicly reported, the potential for privilege escalation makes this a significant security concern.

Exploitation Context

CVE-2026-35595 was published on 2026-04-10. Its severity is rated HIGH with a CVSS score of 8.3. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The advisory notes that some versions could not be automatically mapped to standard Go module versions, potentially leading to false positives from vulnerability scanners.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L8.3HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentcode.vikunja.io/api
Vendorosv
Affected rangeFixed in
< 2.3.0 – < 2.3.02.3.1
2.3.0

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-35595 is to upgrade Vikunja API to version 2.3.0 or later, which contains the necessary fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing stricter access controls and monitoring project reparenting activities for suspicious behavior. While a direct WAF rule is unlikely, monitoring API calls related to project management and reparenting can help detect potential exploitation attempts. After upgrading, verify the fix by attempting a project reparenting operation with a low-privilege user account and confirming that the operation is denied.

How to fix

Update Vikunja to version 2.3.0 or later to mitigate the privilege escalation vulnerability. The update corrects the permission logic in the handling of project parent changes, preventing users from incorrectly inheriting administrator permissions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35595 — Privilege Escalation in Vikunja API?

CVE-2026-35595 is a HIGH severity vulnerability in Vikunja API versions before 2.3.0 that allows an attacker to escalate privileges via Project Reparenting, potentially gaining unauthorized access.

Am I affected by CVE-2026-35595 in Vikunja API?

Yes, if you are using Vikunja API versions prior to 2.3.0, you are potentially affected by this vulnerability. Upgrade to the latest version to mitigate the risk.

How do I fix CVE-2026-35595 in Vikunja API?

The recommended fix is to upgrade Vikunja API to version 2.3.0 or later. This version contains the necessary patch to address the privilege escalation vulnerability.

Is CVE-2026-35595 being actively exploited?

As of now, there are no publicly confirmed reports of active exploitation of CVE-2026-35595. However, the potential for privilege escalation warrants immediate attention and remediation.

Where can I find the official Vikunja advisory for CVE-2026-35595?

Refer to the official Vikunja security advisory for detailed information and updates regarding CVE-2026-35595. Check the Vikunja project website or GitHub repository for the latest announcements.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs