Plataforma
go
Componente
code.vikunja.io/api
Corrigido em
2.3.1
2.3.0
CVE-2026-35595 describes a Privilege Escalation vulnerability discovered in the Vikunja API, specifically within the project reparenting functionality. This flaw allows an attacker to potentially elevate their privileges, leading to unauthorized access and control. The vulnerability impacts versions of Vikunja API prior to v2.3.0. A fix is available in version 2.3.0.
Successful exploitation of CVE-2026-35595 could allow an attacker to gain elevated privileges within the Vikunja system. This could manifest as the ability to modify or delete data belonging to other users, bypass access controls, or even gain administrative access. The blast radius of this vulnerability depends on the level of access gained; a successful attack could compromise the entire Vikunja instance and the data it contains. While no specific real-world exploitation has been publicly reported, the potential for privilege escalation makes this a significant security concern.
CVE-2026-35595 was published on 2026-04-10. Its severity is rated HIGH with a CVSS score of 8.3. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The advisory notes that some versions could not be automatically mapped to standard Go module versions, potentially leading to false positives from vulnerability scanners.
Organizations and individuals using Vikunja API versions prior to 2.3.0 are at risk. This includes those deploying Vikunja in shared hosting environments or using legacy configurations that may not be regularly updated. Users who have granted broad permissions to their Vikunja accounts are particularly vulnerable.
• linux / server: Monitor Vikunja API logs for unusual project reparenting requests. Use journalctl -u vikunja to filter for events related to project modifications.
journalctl -u vikunja | grep 'project reparenting'• generic web: Monitor API endpoints related to project management for unexpected requests. Use curl to test access control mechanisms.
curl -v -H "Authorization: Bearer <low_privilege_token>" https://<vikunja_instance>/api/projects/<project_id>/reparent/<target_parent_id>• go: Examine Vikunja API source code for the project reparenting logic and look for potential vulnerabilities in input validation or access control checks.
disclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-35595 is to upgrade Vikunja API to version 2.3.0 or later, which contains the necessary fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider implementing stricter access controls and monitoring project reparenting activities for suspicious behavior. While a direct WAF rule is unlikely, monitoring API calls related to project management and reparenting can help detect potential exploitation attempts. After upgrading, verify the fix by attempting a project reparenting operation with a low-privilege user account and confirming that the operation is denied.
Atualize Vikunja para a versão 2.3.0 ou posterior para mitigar a vulnerabilidade de escalada de privilégios. A atualização corrige a lógica de permissões no tratamento de mudanças de projeto pai, evitando que os usuários herdem permissões de administrador de forma incorreta.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-35595 is a HIGH severity vulnerability in Vikunja API versions before 2.3.0 that allows an attacker to escalate privileges via Project Reparenting, potentially gaining unauthorized access.
Yes, if you are using Vikunja API versions prior to 2.3.0, you are potentially affected by this vulnerability. Upgrade to the latest version to mitigate the risk.
The recommended fix is to upgrade Vikunja API to version 2.3.0 or later. This version contains the necessary patch to address the privilege escalation vulnerability.
As of now, there are no publicly confirmed reports of active exploitation of CVE-2026-35595. However, the potential for privilege escalation warrants immediate attention and remediation.
Refer to the official Vikunja security advisory for detailed information and updates regarding CVE-2026-35595. Check the Vikunja project website or GitHub repository for the latest announcements.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.