CVE-2026-40103

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description Vikunja, a self-hosted task management platform, has a scoped API token enforcement issue for custom project background routes. A token with only projects.background permission can successfully delete a project background, while a token with only projects.background delete permission is rejected. This is a scoped-token authorization bypass. The issue affects the /api/v1/projects/:project/background endpoint, specifically the DELETE method. The CanDoAPIRoute() function incorrectly handles permission checks, falling back to the parent group and reconstructing the child permission from the path segments, allowing a token with projects.background to bypass the intended projects.background delete requirement for deleting project backgrounds. This could allow an attacker with a valid API token and projects.background permission to delete project backgrounds.

Recommendations Update to version 2.3.0 or later.