{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35596", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.162Z", "datePublished": "2026-04-10T15:59:43.255Z", "dateUpdated": "2026-04-14T14:51:51.537Z"}, "containers": {"cna": {"title": "Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2578", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2578"}, {"name": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1"}, {"name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T15:59:43.255Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-hj5c-mhh2-g7jq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:51:36.685636Z", "id": "CVE-2026-35596", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:51:51.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35596", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:51:36.685636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:51:45.978Z"}}], "cna": {"title": "Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug", "source": {"advisory": "GHSA-hj5c-mhh2-g7jq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2578", "name": "https://github.com/go-vikunja/vikunja/pull/2578", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1", "name": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T15:59:43.255Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35596", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:51:51.537Z", "dateReserved": "2026-04-03T21:25:12.162Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T15:59:43.255Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-35596", "lastModified": "2026-04-17T22:00:03.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T17:17:03.067", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2578"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-10T17:27:40.052018+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.3.0 or later.", "Confirm that label data is no longer returned for projects the user does not own.", "Review and reinforce project\u2011level access controls to match the updated logic.", "Monitor application logs for attempts to read unauthorized labels."], "summary": {"action": "Patch", "impact": "Unauthorized Access to Label Metadata"}, "threat_synthesis": {"affected_systems": "Affected deployments are those running Vikunja before version 2.3.0, the open\u2011source self\u2011hosted task management platform maintained by go\u2011vikunja. No other vendors are listed in this advisory. Users operating any version older than 2.3.0 are impacted.", "description_and_impact": "The vulnerability in Vikunja's hasAccessToLabel function arises from a SQL operator precedence bug. An attacker who is authenticated can craft requests that bypass project\u2011level checks and retrieve any label associated with at least one task. The exposed data includes the label\u2019s title, description, color, and creator identity. This leak compromises confidentiality of organizational metadata and represents a broken access control flaw (CWE\u2011863). It does not lead to code execution or denial of service, but it allows unauthorized disclosure of sensitive information.", "risk_and_exploitability": "The CVSS score of 4.3 points to low severity, and no EPSS score is available, so the likelihood of exploitation is uncertain. The vulnerability is not included in the CISA KEV catalog. Exploitation requires only authenticated access to the application; no special conditions are needed. While the impact is restricted to confidential label data, the ease of exploitation means the risk is moderate but not critical. Administrators should apply the 2.3.0 patch promptly to eliminate the flaw."}}}}, "created": "2026-04-13T12:44:33.985258+00:00", "updated": "2026-04-13T13:01:04.257614+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}