CVE-2026-40103 MEDIUM

CVE-2026-40103: Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds

Vendor Go-Vikunja
Product vikunja
Weakness CWE-836
Published April 10, 2026
Last update April 15, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 15, 2026 Record updated