CVE-2026-35602
Received Received - Intake
File Size Bypass in Vikunja Import Allows Large File Uploads

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35602
EUVD
EUVD-2026-21429
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35602 is a moderate severity vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.3.0.

The vulnerability occurs because the file import endpoint trusts an attacker-controlled "Size" field from JSON metadata inside an import ZIP archive instead of using the actual decompressed file content length to enforce the maximum file size limit.

An attacker can set the "Size" field to 0 in the JSON metadata while including large compressed files in the ZIP, bypassing the configured maximum file size check (default 20MB). This allows uploading files much larger than the limit, potentially up to hundreds of megabytes or more after decompression.

This happens because the import process compares the attacker-supplied size against the limit, and if the size is set to 0, the check passes incorrectly, allowing the import to proceed with large files.

Impact Analysis

This vulnerability allows authenticated users to bypass file size limits by uploading small compressed ZIP files that decompress into very large files, which can exhaust server storage.

  • An attacker can upload a small compressed file (e.g., 25KB) that decompresses to a much larger size (e.g., 25MB or more), bypassing the 20MB file size limit.
  • Repeated exploitation can fill the server's disk space, leading to denial of service for all users of the Vikunja instance.
  • There is no per-user storage quota to mitigate this risk, increasing the potential impact.

Overall, the vulnerability can cause resource exhaustion and availability issues on the server hosting Vikunja.

Detection Guidance

This vulnerability involves an attacker bypassing file size limits by uploading ZIP files with manipulated JSON metadata. Detection can focus on monitoring for unusually large decompressed file sizes relative to the reported size in the JSON metadata inside import ZIP files.

You can detect suspicious activity by inspecting the contents of ZIP files being imported, especially the data.json file inside the ZIP, to verify if the "Size" field matches the actual decompressed file size.

Suggested commands include extracting and inspecting the ZIP contents and comparing file sizes:

  • Unzip the import ZIP file: unzip suspicious_import.zip -d /tmp/import_contents
  • Check the size field in data.json: cat /tmp/import_contents/data.json | jq '.files[].Size'
  • Compare the reported Size with actual decompressed file sizes: find /tmp/import_contents -type f -exec ls -lh {} \;

Additionally, monitoring server disk usage spikes or unusually large file uploads by authenticated users may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Vikunja to version 2.3.0 or later, where the vulnerability is fixed.

The fix includes enforcing file size limits based on the actual decompressed file content length rather than trusting the attacker-controlled JSON "Size" field.

Until upgrading, consider these immediate steps:

  • Restrict authenticated user permissions to limit who can import files.
  • Monitor and limit disk usage to detect and prevent resource exhaustion.
  • Manually inspect import ZIP files for suspiciously small reported sizes with large actual content.

Implementing per-user storage quotas or additional file size validation outside of Vikunja may also help mitigate risk until the patch is applied.

Compliance Impact

This vulnerability allows authenticated users to bypass file size limits by uploading compressed ZIP files that decompress into large files, potentially exhausting server storage and causing denial of service.

While the vulnerability impacts availability by enabling resource exhaustion, it does not affect confidentiality or integrity directly.

Because it can lead to denial of service and uncontrolled resource consumption without per-user quotas, organizations using Vikunja may face challenges in maintaining compliance with standards that require availability and resource management controls, such as HIPAA's availability requirements or GDPR's data protection principles.

However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data disclosure or modification, which are critical for compliance with confidentiality and integrity requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart