anonhaven
Ad

CVE-2026-40103

MEDIUM CVSS 3.1: 5.4 EPSS 0.03%
Updated Apr 17, 2026
Vikunja
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions before 2.3.0
Fixed In 2.3.0
Type CWE-836
Vendor Vikunja
Public PoC No

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected.

This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-836

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Vikunja Vikunja
cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
 2.3.0

References 4

https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc…
security-advisories@github.com
https://github.com/go-vikunja/vikunja/pull/2584
security-advisories@github.com
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
security-advisories@github.com
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35602

Vikunja

7.1

CVE-2026-35601

Vikunja

4.1

CVE-2026-35600

Vikunja

5.4

CVE-2026-35599

Vikunja

6.5

CVE-2026-35598

Vikunja

4.3