CVE-2026-35594

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without server-side database validation. When a project owner deletes a link share or downgrades its permissions, previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). The GetLinkShareFromClaims function at pkg/models/link sharing.go lines 88-119 performs no database queries, building the LinkSharing struct purely from JWT claim values (id, hash, project id, permission, sharedByID). This struct is then used in permission checks within functions like Project.CanRead, Project.CanWrite, and Project.IsAdmin located in pkg/models/project permissions.go. Unlike user JWTs, which use a 10-minute TTL with server-side sessions for revocation, link share JWTs have a 72-hour TTL without a refresh mechanism.

Recommendations Update to version 2.3.0 or later to incorporate database validation within the GetLinkShareFromClaims function. This validation should verify the existence of the link share and ensure the claimed permission level has not been downgraded.