CVE-2026-40103
Received Received - Intake
Scoped-Token Authorization Bypass in Vikunja Project Background API

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40103
EUVD
EUVD-2026-21494
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-836 The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40103 is an authorization bypass vulnerability in Vikunja's scoped API token enforcement. The issue arises because the system incorrectly checks permissions based on the API route path without properly verifying the HTTP method used. For example, a token with permission to access the project background (GET method) can improperly perform a DELETE operation on the same endpoint, even though it lacks the explicit delete permission. This happens due to method confusion and permission leakage between parent and nested resource groups, allowing tokens to execute unauthorized HTTP methods on API routes.

The vulnerability was fixed by rewriting the authorization matcher to strictly enforce both the HTTP method and path for each token permission, ensuring that only the exact stored route and method combination is authorized. This prevents tokens from performing unauthorized actions by guessing permissions based on path names alone.

Impact Analysis

This vulnerability allows API tokens with limited permissions to perform unauthorized actions, such as deleting project backgrounds without having the proper delete permission. This weakens the security model for scoped API tokens, which are intended to restrict access to specific actions.

An attacker or malicious user who obtains a token with only read or limited permissions could escalate their privileges to perform destructive operations like deleting project backgrounds. This can lead to unintended data loss or manipulation within the Vikunja task management platform.

Overall, the impact is a moderate integrity risk where unauthorized modifications can occur, potentially disrupting project data and automation workflows that rely on scoped tokens.

Detection Guidance

This vulnerability can be detected by testing API token permissions against the HTTP methods they are supposed to authorize. Specifically, you can attempt to use an API token scoped with limited permissions (e.g., projects.background) to perform unauthorized HTTP methods (e.g., DELETE) on the same API routes.

For example, using a token with only the 'projects.background' permission, you can send a DELETE request to the endpoint /api/v1/projects/<project_id>/background and check if the request succeeds. If it does, the vulnerability is present.

Suggested commands (replace <token> and <project_id> accordingly):

  • curl -H "Authorization: Bearer <token>" -X DELETE https://<vikunja-server>/api/v1/projects/<project_id>/background
  • curl -H "Authorization: Bearer <token>" -X GET https://<vikunja-server>/api/v1/projects/<project_id>/background

If the DELETE request succeeds with a token that only has the GET-scoped permission, it indicates the presence of the authorization bypass vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where this vulnerability has been fixed by enforcing strict HTTP method and path matching for API token permissions.

Until the upgrade can be performed, restrict the issuance and use of scoped API tokens with permissions related to project background management, especially tokens with 'projects.background' permission, to trusted users only.

Additionally, review and audit existing API tokens to ensure none have excessive permissions that could exploit this flaw.

Consider monitoring API usage logs for unauthorized DELETE requests on project background endpoints to detect potential exploitation attempts.

Compliance Impact

CVE-2026-40103 is an authorization bypass vulnerability in Vikunja's scoped API token enforcement that allows tokens with insufficient permissions to perform unauthorized delete operations on project backgrounds. This weakness can lead to unauthorized modification or deletion of data.

Such unauthorized access and modification could weaken the trust model for automation and third-party integrations relying on scoped tokens, potentially leading to violations of data integrity and access control requirements mandated by standards like GDPR and HIPAA.

However, the CVE description and resources do not explicitly discuss compliance impacts or mention specific regulatory frameworks such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart