Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-35598

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 4 days, 2 hours ago

Vikunja has Missing Authorization on CalDAV Task Read

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2579 x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/879462d717351fe5d276ddec5246bdec31b41661 x_refsource_MISC
https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0 x_refsource_MISC

Affected products

vikunja

==< 2.3.0

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2
nixos-25.11 2.2.2
- nixos-25.11-small 2.2.2
- nixpkgs-25.11-darwin 2.2.2

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.2.2
- nixpkgs-unstable 2.2.2
- nixos-unstable-small 2.2.2

Package maintainers

@leona-ya Leona Maroni <nix@leona.is>
@adamcstephens Adam C. Stephens <happy.plan4249@valkor.net>
@kolaente Konrad Langenberg <k@knt.li>