CVE-2026-35598
Unauthorized Access in Vikunja CalDAV via Inadequate Task Authorization
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35598 is an authorization vulnerability in the Vikunja task management system's CalDAV interface. Before version 2.3.0, the CalDAV methods GetResource and GetResourcesByList would fetch tasks by their unique identifiers (UIDs) without verifying if the authenticated user had permission to access the task's associated project.
This flaw allowed any authenticated CalDAV user who knew or guessed a task's UID to read the full task data from any project on the instance, regardless of their access rights.
The vulnerability was due to missing authorization checks in the functions handling these requests, specifically ignoring project-level access controls and not verifying that the project ID in the request URL matched the task's actual project.
The issue was fixed by adding multiple layers of authorization enforcement, including filtering tasks at the SQL query level to only include those accessible to the user, verifying project ID consistency between the URL and task data, and enhancing tests to ensure proper authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Vikunja's CalDAV interface allows authenticated users to access task data from projects they are not authorized to view by guessing or knowing task UIDs. This leads to unauthorized disclosure of potentially sensitive task information across project boundaries.
Such unauthorized data access can result in violations of data protection regulations like GDPR and HIPAA, which require strict access controls and protection of personal or sensitive information. The exposure of task details without proper authorization undermines confidentiality requirements mandated by these standards.
Therefore, until fixed (in version 2.3.0), this vulnerability could cause non-compliance with common standards and regulations that mandate access control and data confidentiality.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of task data across projects within the Vikunja system.
An authenticated CalDAV user could read sensitive information such as task titles, descriptions, due dates, priorities, labels, and reminders from any project by knowing or guessing task UIDs.
In multi-tenant deployments, this could result in cross-project or cross-tenant data leakage, exposing confidential or private information to unauthorized users.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.3, indicating a network attack vector with low complexity and low privileges required, but no impact on integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access task data via the CalDAV interface using known or guessed task UIDs, and verifying whether unauthorized data is returned.
Specifically, you can test if the CalDAV GetResource or GetResourcesByList methods return task details for tasks outside your authorized projects by manipulating the UID or project ID in the CalDAV URL.
A practical approach is to use HTTP requests or CalDAV client tools to send GET or REPORT requests to endpoints like /dav/projects/{projectID}/{taskUID}.ics with UIDs that you should not have access to, and observe if the server returns HTTP 200 OK with task data instead of HTTP 403 Forbidden or 404 Not Found.
Example commands using curl to test unauthorized access might include:
- curl -i -u <user>:<password> https://<vikunja-server>/dav/projects/<projectID>/<taskUID>.ics
- curl -i -u <user>:<password> -X REPORT --data '<calendar-multiget REPORT XML body with task UIDs>' https://<vikunja-server>/dav/projects/<projectID>/
If these requests return full task details for tasks outside your authorized projects, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability has been fixed.
The fix includes enforcing authorization checks at multiple levels: filtering tasks by accessible projects in the SQL query, verifying that the project ID in the CalDAV URL matches the task's actual project ID, and rejecting requests that fail these checks.
Until you can upgrade, consider restricting access to the CalDAV interface to trusted users only, monitoring for suspicious CalDAV requests that attempt to access unauthorized tasks, and reviewing logs for unusual access patterns involving task UIDs.