{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40103", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.536Z", "datePublished": "2026-04-10T16:12:27.603Z", "dateUpdated": "2026-04-15T14:45:18.303Z"}, "containers": {"cna": {"title": "Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds", "problemTypes": [{"descriptions": [{"cweId": "CWE-836", "lang": "en", "description": "CWE-836: Use of Password Hash Instead of Password for Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2584", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2584"}, {"name": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae"}, {"name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:12:27.603Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-v479-vf79-mg83", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:45:05.880850Z", "id": "CVE-2026-40103", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:45:18.303Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40103", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:45:05.880850Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:45:14.173Z"}}], "cna": {"title": "Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds", "source": {"advisory": "GHSA-v479-vf79-mg83", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2584", "name": "https://github.com/go-vikunja/vikunja/pull/2584", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae", "name": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-836", "description": "CWE-836: Use of Password Hash Instead of Password for Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T16:12:27.603Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40103", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:45:18.303Z", "dateReserved": "2026-04-09T01:41:38.536Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T16:12:27.603Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-40103", "lastModified": "2026-04-17T22:03:51.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T17:17:13.143", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2584"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-836"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-10T18:05:31.040878+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.3.0 or later to apply the patch that corrects the scoped\u2011token enforcement for project background deletion.", "Verify that your API tokens use the correct scopes: tokens with only projects.background should not have any deletion privileges.", "If an immediate upgrade is not possible, revoke or delete any tokens that contain the projects.background scope to prevent unauthorized deletion until a patch can be applied."], "summary": {"action": "Patch", "impact": "Unauthorized Deletion of Project Backgrounds"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts all installations of the go\u2011vikunja:vikunja product running a version earlier than 2.3.0. The fix was released in the 2.3.0 release; therefore any deployment using an earlier version remains vulnerable until it is upgraded.", "description_and_impact": "Vikunja, an open\u2011source self\u2011hosted task management platform, suffered a scoped\u2011token authorization bypass due to method\u2011confusion in the custom project background API routes. A token granted the projects.background scope could delete a project background, while a token with the dedicated projects.background_delete scope was correctly rejected. This demonstrates CWE\u2011836 (Authorization Bypass Through ID Manipulation) and allows an attacker to tamper with project visuals, compromising data integrity without affecting confidentiality or availability.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity. No EPSS score was provided and the vulnerability is not listed in CISA's KEV catalog. The attack requires only an API token possessing the projects.background scope and the ability to send a standard HTTP request to the background deletion endpoint, making exploitation straightforward for any user who can obtain such a token."}}}}, "created": "2026-04-13T12:43:57.643657+00:00", "updated": "2026-04-13T13:00:25.400920+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}