CVE-2026-35595

HighPublic PoC

Published: 10 April 2026

Published

10 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0003 10.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35595 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, directly addressing the flawed CanUpdate permission check that allowed unauthorized project reparenting.

AC-6 Least Privilege good match

prevent

Employs least privilege to restrict users to only necessary access, mitigating privilege escalation from inherited Write to Admin via manipulated project hierarchy.

AC-24 Access Control Decisions good match

prevent

Authorizes access based on valid security attributes, countering the recursive CTE misresolution that granted unintended Admin permissions on reparented projects.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

This is a direct privilege escalation vulnerability (CWE-269) in a web application's permission model, allowing authenticated low-privilege users to bypass checks and gain admin-level access via project reparenting.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project…

hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.

Deeper analysisAI

CVE-2026-35595 is a privilege escalation vulnerability in Vikunja, an open-source self-hosted task management platform. Affecting versions prior to 2.3.0, the issue resides in the CanUpdate permission check at pkg/models/project_permissions.go:139-148, which only verifies CanWrite access on the new parent project when modifying the parent_project_id. Vikunja's permission model relies on a recursive common table expression (CTE) to traverse the project hierarchy and compute effective permissions. Reparenting a project alters this inheritance chain, enabling unintended escalation. The vulnerability carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and is classified under CWE-269 (Improper Privilege Management).

An authenticated attacker with low privileges (PR:L) who has inherited Write access via a shared parent project can exploit this by reparenting the target child project under a project they own or control. The recursive CTE then resolves their ownership of the new parent as granting Admin-level permissions (level 2) on the moved project, bypassing stricter access controls. This allows network-based exploitation without user interaction, potentially leading to high-impact confidentiality and integrity violations, such as unauthorized data access, modification, or limited availability disruption on the affected project.

Mitigation is available in Vikunja version 2.3.0, which addresses the flawed permission check. Security practitioners should upgrade to this release immediately. Relevant resources include the fixing commit (https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827), pull request (https://github.com/go-vikunja/vikunja/pull/2583), release notes (https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0), and the GitHub security advisory (https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72).

Details

CWE(s): CWE-269

Affected Products

vikunja

≤ 2.3.0

CVEs Like This One

CVE-2026-33680Same product: Vikunja Vikunja

CVE-2026-33334Same product: Vikunja Vikunja

CVE-2026-33678Same product: Vikunja Vikunja

CVE-2026-33679Same product: Vikunja Vikunja

CVE-2026-33316Same product: Vikunja Vikunja

CVE-2026-28268Same product: Vikunja Vikunja

CVE-2026-27819Same product: Vikunja Vikunja

CVE-2026-27616Same product: Vikunja Vikunja

CVE-2026-33335Same product: Vikunja Vikunja

CVE-2026-35602Same product: Vikunja Vikunja

References

https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827
Patch · security-advisories@github.com
https://github.com/go-vikunja/vikunja/pull/2583
Issue Tracking · security-advisories@github.com
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
Release Notes · security-advisories@github.com
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72
Exploit, Vendor Advisory · security-advisories@github.com