प्लेटफ़ॉर्म
go
घटक
code.vikunja.io/api
में ठीक किया गया
2.3.1
2.3.0
CVE-2026-35595 describes a Privilege Escalation vulnerability discovered in the Vikunja API, specifically within the project reparenting functionality. This flaw allows an attacker to potentially elevate their privileges, leading to unauthorized access and control. The vulnerability impacts versions of Vikunja API prior to v2.3.0. A fix is available in version 2.3.0.
Successful exploitation of CVE-2026-35595 could allow an attacker to gain elevated privileges within the Vikunja system. This could manifest as the ability to modify or delete data belonging to other users, bypass access controls, or even gain administrative access. The blast radius of this vulnerability depends on the level of access gained; a successful attack could compromise the entire Vikunja instance and the data it contains. While no specific real-world exploitation has been publicly reported, the potential for privilege escalation makes this a significant security concern.
CVE-2026-35595 was published on 2026-04-10. Its severity is rated HIGH with a CVSS score of 8.3. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The advisory notes that some versions could not be automatically mapped to standard Go module versions, potentially leading to false positives from vulnerability scanners.
Organizations and individuals using Vikunja API versions prior to 2.3.0 are at risk. This includes those deploying Vikunja in shared hosting environments or using legacy configurations that may not be regularly updated. Users who have granted broad permissions to their Vikunja accounts are particularly vulnerable.
• linux / server: Monitor Vikunja API logs for unusual project reparenting requests. Use journalctl -u vikunja to filter for events related to project modifications.
journalctl -u vikunja | grep 'project reparenting'• generic web: Monitor API endpoints related to project management for unexpected requests. Use curl to test access control mechanisms.
curl -v -H "Authorization: Bearer <low_privilege_token>" https://<vikunja_instance>/api/projects/<project_id>/reparent/<target_parent_id>• go: Examine Vikunja API source code for the project reparenting logic and look for potential vulnerabilities in input validation or access control checks.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-35595 is to upgrade Vikunja API to version 2.3.0 or later, which contains the necessary fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing stricter access controls and monitoring project reparenting activities for suspicious behavior. While a direct WAF rule is unlikely, monitoring API calls related to project management and reparenting can help detect potential exploitation attempts. After upgrading, verify the fix by attempting a project reparenting operation with a low-privilege user account and confirming that the operation is denied.
Actualice Vikunja a la versión 2.3.0 o posterior para mitigar la vulnerabilidad de escalada de privilegios. La actualización corrige la lógica de permisos en el manejo de cambios de proyecto padre, evitando que los usuarios hereden permisos de administrador de forma incorrecta.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-35595 is a HIGH severity vulnerability in Vikunja API versions before 2.3.0 that allows an attacker to escalate privileges via Project Reparenting, potentially gaining unauthorized access.
Yes, if you are using Vikunja API versions prior to 2.3.0, you are potentially affected by this vulnerability. Upgrade to the latest version to mitigate the risk.
The recommended fix is to upgrade Vikunja API to version 2.3.0 or later. This version contains the necessary patch to address the privilege escalation vulnerability.
As of now, there are no publicly confirmed reports of active exploitation of CVE-2026-35595. However, the potential for privilege escalation warrants immediate attention and remediation.
Refer to the official Vikunja security advisory for detailed information and updates regarding CVE-2026-35595. Check the Vikunja project website or GitHub repository for the latest announcements.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी go.mod फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।