Information Disclosure Vulnerability Found in Vikunja Task Platform

The open-source task management platform Vikunja, in versions before 2.3.0, contains a medium-severity information disclosure vulnerability (CVE-2026-35596). This flaw, caused by a SQL operator precedence error, allows any authenticated user to view task labels and their creator details. Access is possible even without specific project permissions.

Context

Vikunja is an open-source task management platform that enables users to organize and manage tasks collaboratively. The identified vulnerability, CVE-2026-35596, affects all versions prior to 2.3.0 and is linked to a SQL operator precedence error. This issue allows authenticated users to access task labels and creator details without necessary project permissions, highlighting potential weaknesses in the platform's security framework.

Why it matters

The discovery of the information disclosure vulnerability in Vikunja is significant because it exposes sensitive task management data to unauthorized users. This flaw could lead to privacy breaches and misuse of information within organizations using the platform. Addressing such vulnerabilities is crucial for maintaining user trust and data security in open-source software.

Implications

The vulnerability could affect a wide range of organizations that rely on Vikunja for task management, potentially exposing sensitive project information. If left unaddressed, it may lead to data leaks or unauthorized access to project details, impacting organizational integrity and operations. Users may need to reassess their use of the platform until the issue is resolved, which could influence overall adoption and trust in Vikunja.

What to watch

Users of Vikunja should monitor for updates and patches from the developers, particularly the release of version 2.3.0, which is expected to address this vulnerability. Organizations using the platform may need to review their security protocols and user access permissions in the interim. Additionally, the response from the open-source community regarding this vulnerability may indicate the level of ongoing support and security focus for Vikunja.