PT-2026-31945 · Go+1 · Code.Vikunja.Io/Api+1
Published
2026-04-10
·
Updated
2026-04-10
·
CVE-2026-35594
CVSS v3.1
6.5
Medium
| AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Title
Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Description
Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default
service.jwtttl).GetLinkShareFromClaims at pkg/models/link sharing.go lines 88-119 performs zero database queries — it builds the LinkSharing struct purely from JWT claim values (id, hash, project id, permission, sharedByID). This struct is passed directly to permission checks:| Function | File | Lines | DB queries |
|---|---|---|---|
GetLinkShareFromClaims | link sharing.go | 88-119 | 0 |
Project.CanRead (link share) | project permissions.go | 105-108 | 0 |
Project.CanWrite (link share) | project permissions.go | 50-53 | 0 |
Project.IsAdmin (link share) | project permissions.go | 192-194 | 0 |
Contrast with user tokens: User JWTs use a 10-minute TTL (
ServiceJWTTTLShort) with sid claim and server-side sessions enabling revocation. Link share JWTs use a 72-hour TTL (ServiceJWTTTL) with no sid, no server-side session, and no refresh mechanism.Permalink:
GetLinkShareFromClaims:pkg/models/link sharing.go:88-119NewLinkShareJWTAuthtoken:pkg/modules/auth/auth.go:141-160- Permission checks:
pkg/models/project permissions.go:50-53, 105-108, 192-194 - TTL defaults:
pkg/config/config.go:337-339
PoC
# 1. Create an Admin-level link share on project 42
curl -X PUT "https://vikunja.example.com/api/v1/projects/42/shares"
-H "Authorization: Bearer <owner-jwt>"
-H "Content-Type: application/json"
-d '{"permission": 2}'
# Response: {"id": 5, "hash": "abc123", ...}
# 2. Obtain link share JWT (72h TTL, no sid claim)
curl -X POST "https://vikunja.example.com/api/v1/shares/abc123/auth"
# Response: {"token": "<link-share-jwt>"}
# 3. Delete the link share
curl -X DELETE "https://vikunja.example.com/api/v1/projects/42/shares/5"
-H "Authorization: Bearer <owner-jwt>"
# 200 OK — share row removed from database
# 4. Use the deleted share's JWT — STILL WORKS for up to 72 hours
curl -X GET "https://vikunja.example.com/api/v1/projects/42/tasks"
-H "Authorization: Bearer <link-share-jwt>"
# 200 OK — full task list returned with Admin permissions
# 5. Permission downgrade variant:
# Delete Admin share → create Read-only share → old JWT still has Admin accessImpact
- Revoked link shares remain functional for up to 72 hours (default TTL)
- Project owners cannot respond to security events (leaked URLs, access revocation) in real time
- Permission downgrades have no effect on outstanding tokens
- Scope: single project per token, severity scales with permission level (Admin > Write > Read)
Fix
Add database validation in
GetLinkShareFromClaims:func GetLinkShareFromClaims(claims jwt.MapClaims) (share *LinkSharing, err error) {
id, is := claims["id"].(float64)
if !is {
return nil, &ErrLinkShareTokenInvalid{}
}
// Validate against database
s := db.NewSession()
defer s.Close()
share, err = GetLinkShareByID(s, int64(id))
if err != nil {
return nil, err // Share was deleted
}
// Verify permission not downgraded
claimedPermission := Permission(claims["permission"].(float64))
if share.Permission < claimedPermission {
return nil, &ErrLinkShareTokenInvalid{}
}
return share, nil
}Alternatives: shorter TTL with refresh mechanism, token blocklist, or session tracking matching user token pattern.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Code.Vikunja.Io/Api
Vikunja