CVE-2026-35601
Received Received - Intake
iCalendar Injection via CRLF in Vikunja CalDAV Output

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35601
EUVD
EUVD-2026-21428
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35601 is a moderate severity vulnerability in the Vikunja task management platform affecting versions prior to 2.3.0. The issue arises because the CalDAV output generator builds iCalendar VTODO entries by concatenating user-controlled strings directly without applying the required escaping for special characters as defined in RFC 5545.

Specifically, task titles and other user-controlled fields can contain carriage return and line feed (CRLF) characters that break the iCalendar property boundaries. This allows an attacker to inject arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER into the calendar data.

An authenticated user with write access can craft task titles with CRLF sequences that cause CalDAV clients to interpret injected lines as legitimate calendar properties, potentially leading to malicious attachments, fake alarms, or spoofed organizer identities.

The root cause is improper neutralization of CRLF sequences (CWE-93). The vulnerability was fixed by applying proper escaping of special characters in all user-controlled fields before outputting them in iCalendar format.

Impact Analysis

This vulnerability can impact users by allowing attackers to inject malicious content into calendar data that other users synchronize via CalDAV.

  • Injection of malicious attachment URLs (ATTACH) that CalDAV clients may automatically download or display.
  • Creation of fake alarm notifications (VALARM) that can be used for social engineering or phishing.
  • Spoofing of organizer identity (ORGANIZER) to impersonate trusted users or entities.

Overall, the vulnerability can lead to integrity issues in calendar data and potential exposure to malicious payloads through trusted calendar clients.

Detection Guidance

This vulnerability can be detected by inspecting CalDAV iCalendar outputs for injected CRLF sequences in user-controlled fields such as task titles, project names, or categories. Specifically, look for iCalendar properties like ATTACH, VALARM, or ORGANIZER that appear unexpectedly within VTODO entries.

A practical approach is to query the CalDAV endpoint for tasks and examine the raw iCalendar data for suspicious line breaks or injected properties.

Example commands to detect this might include using curl or wget to fetch CalDAV data and grep or awk to search for suspicious patterns:

  • curl -u username:password https://your-vikunja-instance/caldav/tasks | grep -E 'ATTACH:|VALARM:|ORGANIZER:'
  • curl -u username:password https://your-vikunja-instance/caldav/tasks | grep -P '\r\n'

Additionally, review task titles or other user inputs for embedded CR or LF characters by querying the Vikunja REST API and inspecting the JSON responses for suspicious characters.

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed by applying proper RFC 5545 TEXT value escaping to all user-controlled fields in CalDAV outputs.

If upgrading immediately is not possible, restrict write access to shared projects to trusted users only, as the vulnerability requires authenticated users with write permissions to inject malicious content.

Additionally, monitor CalDAV outputs for suspicious injected properties and consider disabling CalDAV synchronization temporarily if exploitation is suspected.

Apply network-level controls such as filtering or alerting on suspicious CalDAV traffic containing unexpected iCalendar properties.

Compliance Impact

The vulnerability allows authenticated users with write access to inject arbitrary iCalendar properties into CalDAV outputs, potentially leading to malicious attachments, fake alarms, or spoofed organizer identities being propagated to other users.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the injection of malicious content and spoofing could lead to integrity issues and social engineering attacks that might indirectly impact compliance by compromising data integrity and user trust.

The vulnerability has a moderate CVSS score and involves improper neutralization of CRLF sequences, which is a security best practice concern but does not directly disclose personal data or confidentiality breaches.

Therefore, organizations relying on Vikunja for task management and calendar synchronization should consider this vulnerability as a risk to data integrity and user trust, which are important aspects of compliance frameworks, and apply the patch to maintain secure operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart