PT-2026-31985 · Go+1 · Code.Vikunja.Io/Api+1

Published

2026-04-10

·

Updated

2026-04-10

·

CVE-2026-40103

CVSS v3.1

4.3

Medium

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background delete is rejected.
This is a scoped-token authorization bypass.

Details

I verified this locally on commit c5450fb55f5192508638cbb3a6956438452a712e.
Relevant code paths:
  • pkg/models/api routes.go
  • pkg/routes/routes.go
  • pkg/modules/background/handler/background.go
Route registration exposes separate permissions for the same path:
  • GET /api/v1/projects/:project/background -> projects.background
  • DELETE /api/v1/projects/:project/background -> projects.background delete
At enforcement time, CanDoAPIRoute() falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomes background, so the matcher accepts any token containing projects.background without re-checking the HTTP method or matching the stored route detail.
This matters because RemoveProjectBackground() is a real destructive operation:
  • It checks project update rights.
  • It deletes the background file if present.
  • It clears the project's BackgroundFileID.

PoC

  1. Log in as a user who can update a project that already has a background.
  2. Create an API token with only: {"projects":["background"]}
  3. Send: DELETE /api/v1/projects/<project id>/background Authorization: Bearer <token>
  4. Observe that the request succeeds and the project background is removed.
For comparison:
  1. Create an API token with only: {"projects":["background delete"]}
  2. Repeat the same DELETE request.
  3. Observe that the request is rejected with 401 Unauthorized.
I confirmed this locally with three validations:
  1. /api/v1/routes advertises both background and background delete.
  2. The matcher unit test proves CanDoAPIRoute() accepts DELETE for background.
  3. The webtest proves a real API token with only background successfully deletes the background.

Impact

Scoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.
The attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker projects.background permission.

Fix

Incorrect Authorization

Weakness Enumeration

CWE-836CWE-863

Related Identifiers

CVE-2026-40103
GHSA-V479-VF79-MG83

Affected Products

Code.Vikunja.Io/Api
Vikunja