Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.

INFO

Published Date :

2026-04-10T15:55:04.929Z

Last Modified :

2026-04-10T15:55:04.929Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35594 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35594.

URL Resource
https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479 cve-icon cve-icon
https://github.com/go-vikunja/vikunja/pull/2581 cve-icon cve-icon
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 cve-icon cve-icon
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact