CVE-2026-40103
Scoped-Token Authorization Bypass in Vikunja Project Background API
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-836 | The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40103 is an authorization bypass vulnerability in Vikunja's scoped API token enforcement that allows tokens with insufficient permissions to perform unauthorized delete operations on project backgrounds. This weakness can lead to unauthorized modification or deletion of data.
Such unauthorized access and modification could weaken the trust model for automation and third-party integrations relying on scoped tokens, potentially leading to violations of data integrity and access control requirements mandated by standards like GDPR and HIPAA.
However, the CVE description and resources do not explicitly discuss compliance impacts or mention specific regulatory frameworks such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-40103 is an authorization bypass vulnerability in Vikunja's scoped API token enforcement. The issue arises because the system incorrectly checks permissions based on the API route path without properly verifying the HTTP method used. For example, a token with permission to access the project background (GET method) can improperly perform a DELETE operation on the same endpoint, even though it lacks the explicit delete permission. This happens due to method confusion and permission leakage between parent and nested resource groups, allowing tokens to execute unauthorized HTTP methods on API routes.
The vulnerability was fixed by rewriting the authorization matcher to strictly enforce both the HTTP method and path for each token permission, ensuring that only the exact stored route and method combination is authorized. This prevents tokens from performing unauthorized actions by guessing permissions based on path names alone.
How can this vulnerability impact me? :
This vulnerability allows API tokens with limited permissions to perform unauthorized actions, such as deleting project backgrounds without having the proper delete permission. This weakens the security model for scoped API tokens, which are intended to restrict access to specific actions.
An attacker or malicious user who obtains a token with only read or limited permissions could escalate their privileges to perform destructive operations like deleting project backgrounds. This can lead to unintended data loss or manipulation within the Vikunja task management platform.
Overall, the impact is a moderate integrity risk where unauthorized modifications can occur, potentially disrupting project data and automation workflows that rely on scoped tokens.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing API token permissions against the HTTP methods they are supposed to authorize. Specifically, you can attempt to use an API token scoped with limited permissions (e.g., projects.background) to perform unauthorized HTTP methods (e.g., DELETE) on the same API routes.
For example, using a token with only the 'projects.background' permission, you can send a DELETE request to the endpoint /api/v1/projects/<project_id>/background and check if the request succeeds. If it does, the vulnerability is present.
Suggested commands (replace <token> and <project_id> accordingly):
- curl -H "Authorization: Bearer <token>" -X DELETE https://<vikunja-server>/api/v1/projects/<project_id>/background
- curl -H "Authorization: Bearer <token>" -X GET https://<vikunja-server>/api/v1/projects/<project_id>/background
If the DELETE request succeeds with a token that only has the GET-scoped permission, it indicates the presence of the authorization bypass vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability has been fixed by enforcing strict HTTP method and path matching for API token permissions.
Until the upgrade can be performed, restrict the issuance and use of scoped API tokens with permissions related to project background management, especially tokens with 'projects.background' permission, to trusted users only.
Additionally, review and audit existing API tokens to ensure none have excessive permissions that could exploit this flaw.
Consider monitoring API usage logs for unauthorized DELETE requests on project background endpoints to detect potential exploitation attempts.