High severity8.3NVD Advisory· Published Apr 10, 2026· Updated Apr 17, 2026

CVE-2026-35595

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
code.vikunja.io/apiGo	< 2.3.0	2.3.0

Affected products

Vikunja/Vikunja
cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Range: <2.3.0

Patches

c03d682f48af

test(project): fix ParadeDB search expectation for fixture child

https://github.com/go-vikunja/vikunjakolaenteApr 9, 2026via ghsa

commit

1 file changed · +4 −1

pkg/models/project_test.go+4 −1 modified

@@ -591,12 +591,15 @@ func TestProject_ReadAll(t *testing.T) {
 		if db.ParadeDBAvailable() {
 			// ParadeDB fuzzy(1, prefix=true) on "TEST10" also matches
 			// "test1", "test11", "test19", "test30" (edit distance 1), etc.
-			require.Len(t, ls, 6)
+			// The recursive CTE also pulls in project 43 as a child of the
+			// matched project 10 (reparent-escalation fixture).
+			require.Len(t, ls, 7)
 			projectIDs := make([]int64, len(ls))
 			for i, p := range ls {
 				projectIDs[i] = p.ID
 			}
 			assert.Contains(t, projectIDs, int64(10))
+			assert.Contains(t, projectIDs, int64(43))
 			assert.Contains(t, projectIDs, int64(-1))
 		} else {
 			// Expect project 10 (the search target), project 43 (its child —

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827nvdPatchWEB
github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72nvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-2vq4-854f-5c72ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35595ghsaADVISORY
github.com/go-vikunja/vikunja/pull/2583nvdIssue TrackingWEB
github.com/go-vikunja/vikunja/releases/tag/v2.3.0nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.540
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000