CVE-2026-35594: Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Vikunja’s link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl).

GetLinkShareFromClaims at pkg/models/link_sharing.go lines 88-119 performs zero database queries — it builds the LinkSharing struct purely from JWT claim values (id, hash, project_id, permission, sharedByID). This struct is passed directly to permission checks:

Contrast with user tokens: User JWTs use a 10-minute TTL (ServiceJWTTTLShort) with sid claim and server-side sessions enabling revocation. Link share JWTs use a 72-hour TTL (ServiceJWTTTL) with no sid, no server-side session, and no refresh mechanism.

Permalink:

• GetLinkShareFromClaims: pkg/models/link_sharing.go:88-119
• NewLinkShareJWTAuthtoken: pkg/modules/auth/auth.go:141-160
• Permission checks: pkg/models/project_permissions.go:50-53, 105-108, 192-194
• TTL defaults: pkg/config/config.go:337-339