CVE-2026-35601
iCalendar Injection via CRLF in Vikunja CalDAV Output
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35601 is a moderate severity vulnerability in the Vikunja task management platform affecting versions prior to 2.3.0. The issue arises because the CalDAV output generator builds iCalendar VTODO entries by concatenating user-controlled strings directly without applying the required escaping for special characters as defined in RFC 5545.
Specifically, task titles and other user-controlled fields can contain carriage return and line feed (CRLF) characters that break the iCalendar property boundaries. This allows an attacker to inject arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER into the calendar data.
An authenticated user with write access can craft task titles with CRLF sequences that cause CalDAV clients to interpret injected lines as legitimate calendar properties, potentially leading to malicious attachments, fake alarms, or spoofed organizer identities.
The root cause is improper neutralization of CRLF sequences (CWE-93). The vulnerability was fixed by applying proper escaping of special characters in all user-controlled fields before outputting them in iCalendar format.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to inject malicious content into calendar data that other users synchronize via CalDAV.
- Injection of malicious attachment URLs (ATTACH) that CalDAV clients may automatically download or display.
- Creation of fake alarm notifications (VALARM) that can be used for social engineering or phishing.
- Spoofing of organizer identity (ORGANIZER) to impersonate trusted users or entities.
Overall, the vulnerability can lead to integrity issues in calendar data and potential exposure to malicious payloads through trusted calendar clients.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting CalDAV iCalendar outputs for injected CRLF sequences in user-controlled fields such as task titles, project names, or categories. Specifically, look for iCalendar properties like ATTACH, VALARM, or ORGANIZER that appear unexpectedly within VTODO entries.
A practical approach is to query the CalDAV endpoint for tasks and examine the raw iCalendar data for suspicious line breaks or injected properties.
Example commands to detect this might include using curl or wget to fetch CalDAV data and grep or awk to search for suspicious patterns:
- curl -u username:password https://your-vikunja-instance/caldav/tasks | grep -E 'ATTACH:|VALARM:|ORGANIZER:'
- curl -u username:password https://your-vikunja-instance/caldav/tasks | grep -P '\r\n'
Additionally, review task titles or other user inputs for embedded CR or LF characters by querying the Vikunja REST API and inspecting the JSON responses for suspicious characters.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed by applying proper RFC 5545 TEXT value escaping to all user-controlled fields in CalDAV outputs.
If upgrading immediately is not possible, restrict write access to shared projects to trusted users only, as the vulnerability requires authenticated users with write permissions to inject malicious content.
Additionally, monitor CalDAV outputs for suspicious injected properties and consider disabling CalDAV synchronization temporarily if exploitation is suspected.
Apply network-level controls such as filtering or alerting on suspicious CalDAV traffic containing unexpected iCalendar properties.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with write access to inject arbitrary iCalendar properties into CalDAV outputs, potentially leading to malicious attachments, fake alarms, or spoofed organizer identities being propagated to other users.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the injection of malicious content and spoofing could lead to integrity issues and social engineering attacks that might indirectly impact compliance by compromising data integrity and user trust.
The vulnerability has a moderate CVSS score and involves improper neutralization of CRLF sequences, which is a security best practice concern but does not directly disclose personal data or confidentiality breaches.
Therefore, organizations relying on Vikunja for task management and calendar synchronization should consider this vulnerability as a risk to data integrity and user trust, which are important aspects of compliance frameworks, and apply the patch to maintain secure operations.