CVE-2026-35602
Published: 10 April 2026
Summary
CVE-2026-35602 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Vikunja Vikunja. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates proper information input validation, including verifying actual decompressed file sizes in ZIP imports rather than trusting attacker-controlled JSON metadata.
Requires timely identification, reporting, and patching of flaws like the file size bypass in Vikunja's import endpoint, as fixed in version 2.3.0.
Provides denial-of-service protections that limit resource consumption from oversized file uploads, mitigating potential disk exhaustion even if size checks are bypassed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability bypasses file size limits on import, directly enabling exploitation to cause disk space exhaustion and resource consumption on the server (T1499.004 Application or System Exploitation).
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file…
more
size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.
Deeper analysisAI
CVE-2026-35602 is a vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.3.0. The issue lies in the file import endpoint, which enforces file size limits using the attacker-controlled "Size" field from JSON metadata embedded in the import ZIP file, rather than the actual decompressed content length. This design flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables attackers to bypass configured maximum file size restrictions by setting the Size value to 0 while including large compressed file entries in the ZIP archive. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
An authenticated attacker with low privileges can exploit this over the network with low complexity and no user interaction required. By crafting a malicious ZIP file with falsified JSON metadata, the attacker can upload files exceeding the size limit, potentially leading to low-impact integrity violations (such as unauthorized data insertion) and availability issues (such as disk space exhaustion or resource consumption on the server).
The vulnerability is addressed in Vikunja version 2.3.0, where the file size check now uses the actual decompressed content length. Administrators should upgrade to this version or later to mitigate the issue. Detailed patch information is available in GitHub pull request #2575, the v2.3.0 release notes, and the security advisory GHSA-qh78-rvg3-cv54.
Details
- CWE(s)