CVE-2026-35595

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description A permission escalation issue exists in Vikunja that allows a user with Write access to a project to escalate their permissions to Admin by moving the project under a project they own. This is due to a flaw in the CanUpdate check at pkg/models/project permissions.go:139-148, which only verifies CanWrite on the new parent project when changing the parent project id. Vikunja's permission model uses a recursive CTE to compute permissions, and reparenting a project alters the permission inheritance chain. When a user with inherited Write access reparents a project under their own project tree, the CTE incorrectly resolves their ownership of the new parent as Admin on the moved project. This allows the attacker to delete the project, manage shares, and remove other users' access. A proof of concept demonstrates that an attacker can escalate from inherited Write to Admin by reparenting, then delete the victim's project. This impacts any project where Write access has been shared with collaborators.

Recommendations Require Admin permission instead of Write when changing parent project id in the CanUpdate check at pkg/models/project permissions.go:139-148.