CVE-2026-35595: Vikunja vulnerable to Privilege Escalation via Project Reparenting
A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users’ access.
References
- github.com/advisories/GHSA-2vq4-854f-5c72
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827
- github.com/go-vikunja/vikunja/pull/2583
- github.com/go-vikunja/vikunja/releases/tag/v2.3.0
- github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72
- nvd.nist.gov/vuln/detail/CVE-2026-35595
Code Behaviors & Features
Detect and mitigate CVE-2026-35595 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →