CVE-2026-35598

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description The CalDAV GetResource and GetResourcesByList methods retrieve tasks by UID from the database without verifying the authenticated user's access to the task's project. This allows any authenticated CalDAV user who knows or guesses a task UID to read the full task data from any project. The GetTasksByUIDs function at pkg/models/tasks.go:376-393 performs a global database query without authorization checks, accepting a web.Auth parameter that is not used for permission filtering. This function is called by GetResource and GetResourcesByList within the CalDAV implementation. The project ID in the CalDAV URL is ignored, meaning a user can access tasks from other projects using a known UID. Task UIDs are UUIDv4 and are exposed in CalDAV resource paths and client synchronization logs.

Recommendations Add a CanRead permission check on each returned task's project in both GetResource and GetResourcesByList.