CVE-2026-40103: Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
(updated )
Vikunja’s scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected.
This is a scoped-token authorization bypass.
References
- github.com/advisories/GHSA-v479-vf79-mg83
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae
- github.com/go-vikunja/vikunja/pull/2584
- github.com/go-vikunja/vikunja/releases/tag/v2.3.0
- github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83
- nvd.nist.gov/vuln/detail/CVE-2026-40103
Code Behaviors & Features
Detect and mitigate CVE-2026-40103 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →