Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-35596

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 4 days, 2 hours ago

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2578 x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1 x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 x_refsource_MISC

Affected products

vikunja

==< 2.3.0

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@kolaente Konrad Langenberg <k@knt.li>