CVE-2026-35602
File Size Bypass in Vikunja Import Allows Large File Uploads
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to bypass file size limits by uploading compressed ZIP files that decompress into large files, potentially exhausting server storage and causing denial of service.
While the vulnerability impacts availability by enabling resource exhaustion, it does not affect confidentiality or integrity directly.
Because it can lead to denial of service and uncontrolled resource consumption without per-user quotas, organizations using Vikunja may face challenges in maintaining compliance with standards that require availability and resource management controls, such as HIPAA's availability requirements or GDPR's data protection principles.
However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data disclosure or modification, which are critical for compliance with confidentiality and integrity requirements.
Can you explain this vulnerability to me?
CVE-2026-35602 is a moderate severity vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.3.0.
The vulnerability occurs because the file import endpoint trusts an attacker-controlled "Size" field from JSON metadata inside an import ZIP archive instead of using the actual decompressed file content length to enforce the maximum file size limit.
An attacker can set the "Size" field to 0 in the JSON metadata while including large compressed files in the ZIP, bypassing the configured maximum file size check (default 20MB). This allows uploading files much larger than the limit, potentially up to hundreds of megabytes or more after decompression.
This happens because the import process compares the attacker-supplied size against the limit, and if the size is set to 0, the check passes incorrectly, allowing the import to proceed with large files.
How can this vulnerability impact me? :
This vulnerability allows authenticated users to bypass file size limits by uploading small compressed ZIP files that decompress into very large files, which can exhaust server storage.
- An attacker can upload a small compressed file (e.g., 25KB) that decompresses to a much larger size (e.g., 25MB or more), bypassing the 20MB file size limit.
- Repeated exploitation can fill the server's disk space, leading to denial of service for all users of the Vikunja instance.
- There is no per-user storage quota to mitigate this risk, increasing the potential impact.
Overall, the vulnerability can cause resource exhaustion and availability issues on the server hosting Vikunja.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker bypassing file size limits by uploading ZIP files with manipulated JSON metadata. Detection can focus on monitoring for unusually large decompressed file sizes relative to the reported size in the JSON metadata inside import ZIP files.
You can detect suspicious activity by inspecting the contents of ZIP files being imported, especially the data.json file inside the ZIP, to verify if the "Size" field matches the actual decompressed file size.
Suggested commands include extracting and inspecting the ZIP contents and comparing file sizes:
- Unzip the import ZIP file: unzip suspicious_import.zip -d /tmp/import_contents
- Check the size field in data.json: cat /tmp/import_contents/data.json | jq '.files[].Size'
- Compare the reported Size with actual decompressed file sizes: find /tmp/import_contents -type f -exec ls -lh {} \;
Additionally, monitoring server disk usage spikes or unusually large file uploads by authenticated users may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Vikunja to version 2.3.0 or later, where the vulnerability is fixed.
The fix includes enforcing file size limits based on the actual decompressed file content length rather than trusting the attacker-controlled JSON "Size" field.
Until upgrading, consider these immediate steps:
- Restrict authenticated user permissions to limit who can import files.
- Monitor and limit disk usage to detect and prevent resource exhaustion.
- Manually inspect import ZIP files for suspiciously small reported sizes with large actual content.
Implementing per-user storage quotas or additional file size validation outside of Vikunja may also help mitigate risk until the patch is applied.