CVE-2026-35598 MEDIUM

CVE-2026-35598: Vikunja has Missing Authorization on CalDAV Task Read

Vendor Go-Vikunja
Product vikunja
Weakness CWE-862 · Missing authorization
Published April 10, 2026
Last update April 14, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 14, 2026 Record updated