CVE-2026-35596

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description A SQL operator precedence bug exists in the hasAccessToLabel function. This allows any authenticated user to read any label that has at least one task association, regardless of project access. Exposed information includes label titles, descriptions, colors, and creator information. The issue stems from an improperly grouped SQL query in pkg/models/label permissions.go:85-91, where the lack of proper grouping allows bypassing project access restrictions. The vulnerability allows cross-project information disclosure, exposing creator usernames and display names. An estimated number of affected devices or real-world incidents are not mentioned.

Recommendations Update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the hasAccessToLabel function until a patch is available.