Platform
go
Component
code.vikunja.io/api
Fixed in
2.3.1
2.3.0
CVE-2026-35595 describes a Privilege Escalation vulnerability discovered in the Vikunja API, specifically within the project reparenting functionality. This flaw allows an attacker to potentially elevate their privileges, leading to unauthorized access and control. The vulnerability impacts versions of Vikunja API prior to v2.3.0. A fix is available in version 2.3.0.
Successful exploitation of CVE-2026-35595 could allow an attacker to gain elevated privileges within the Vikunja system. This could manifest as the ability to modify or delete data belonging to other users, bypass access controls, or even gain administrative access. The blast radius of this vulnerability depends on the level of access gained; a successful attack could compromise the entire Vikunja instance and the data it contains. While no specific real-world exploitation has been publicly reported, the potential for privilege escalation makes this a significant security concern.
CVE-2026-35595 was published on 2026-04-10. Its severity is rated HIGH with a CVSS score of 8.3. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The advisory notes that some versions could not be automatically mapped to standard Go module versions, potentially leading to false positives from vulnerability scanners.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35595 is to upgrade Vikunja API to version 2.3.0 or later, which contains the necessary fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing stricter access controls and monitoring project reparenting activities for suspicious behavior. While a direct WAF rule is unlikely, monitoring API calls related to project management and reparenting can help detect potential exploitation attempts. After upgrading, verify the fix by attempting a project reparenting operation with a low-privilege user account and confirming that the operation is denied.
Update Vikunja to version 2.3.0 or later to mitigate the privilege escalation vulnerability. The update corrects the permission logic in the handling of project parent changes, preventing users from incorrectly inheriting administrator permissions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35595 is a HIGH severity vulnerability in Vikunja API versions before 2.3.0 that allows an attacker to escalate privileges via Project Reparenting, potentially gaining unauthorized access.
Yes, if you are using Vikunja API versions prior to 2.3.0, you are potentially affected by this vulnerability. Upgrade to the latest version to mitigate the risk.
The recommended fix is to upgrade Vikunja API to version 2.3.0 or later. This version contains the necessary patch to address the privilege escalation vulnerability.
As of now, there are no publicly confirmed reports of active exploitation of CVE-2026-35595. However, the potential for privilege escalation warrants immediate attention and remediation.
Refer to the official Vikunja security advisory for detailed information and updates regarding CVE-2026-35595. Check the Vikunja project website or GitHub repository for the latest announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.