{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35594", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T21:25:12.161Z", "datePublished": "2026-04-10T15:55:04.929Z", "dateUpdated": "2026-04-14T14:32:15.339Z"}, "containers": {"cna": {"title": "Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2581", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2581"}, {"name": "https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479"}, {"name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T15:55:04.929Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0."}], "source": {"advisory": "GHSA-96q5-xm3p-7m84", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:32:11.692055Z", "id": "CVE-2026-35594", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:32:15.339Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35594", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:32:11.692055Z"}}}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:32:05.418Z"}}], "cna": {"title": "Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade", "source": {"advisory": "GHSA-96q5-xm3p-7m84", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2581", "name": "https://github.com/go-vikunja/vikunja/pull/2581", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479", "name": "https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T15:55:04.929Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35594", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:32:15.339Z", "dateReserved": "2026-04-03T21:25:12.161Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T15:55:04.929Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E", "versionEndExcluding": "2.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0."}], "id": "CVE-2026-35594", "lastModified": "2026-04-24T14:53:24.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T16:16:32.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2581"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-10T17:28:35.763175+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.3.0 or later, which implements validation of link share status before issuing tokens.", "Re\u2011generate link shares after revocation or permission changes; existing tokens remain valid for a maximum of 72 hours, so plan to replace them promptly.", "Monitor access logs for unusual activity on previously revoked or downgraded shares to detect any exploitation."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized access due to stale JWT tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Vikunja task management platform, version 2.2.x and older \u2013 any deployment running a release prior to 2.3.0 is susceptible. As Vikunja is typically self\u2011hosted, operators of any instance using the affected code are impacted, regardless of the hosting environment.", "description_and_impact": "Vikunja, an open\u2011source task management platform, issued JSON Web Tokens (JWTs) for link sharing that were created solely from the JWT claims without any server\u2011side verification of the share\u2019s current status. When a project owner deleted a share or lowered its permissions, the tokens that had already been handed out continued to grant the original level of access for the full 72\u2011hour default token lifetime, allowing an attacker or an inadvertently privileged user to view, edit, or otherwise interact with data that should have been inaccessible. The effect is a breach of confidentiality and integrity for the resources linked via the share. The weakness is classified as CWE\u2011613 (Failure to Validate The Scope of Access).", "risk_and_exploitability": "The CVSS score of 6.5 places the issue in the medium severity range, and the lack of an EPSS score indicates no publicly available data on exploit frequency. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the vulnerability is triggered by the continued validity of already issued JWTs, an attacker could exploit it by merely retrieving a previously distributed link share URL or by capturing a token in transit. The likely attack vector is over the network via the share link, and the prerequisite is possession of an existing JWT that was issued before the share was revoked or its permissions altered."}}}}, "created": "2026-04-13T12:44:35.998175+00:00", "updated": "2026-04-13T13:01:06.400615+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}