CVE-2026-40103: Authorization Bypass via Method Confusion in Vikunja API
Vulnerability ID: CVE-2026-40103
CVSS Score: 4.3
Published: 2026-04-10
Vikunja versions prior to 2.3.0 contain an authorization bypass vulnerability caused by method confusion in scoped API token validation. The application validates authorization scopes using URL path strings but fails to enforce matching HTTP methods, allowing a read-only token to perform destructive state-changing operations.
TL;DR
A flaw in Vikunja's API routing logic allows attackers with low-privileged scoped tokens to perform unauthorized actions (e.g., DELETE) on endpoints where they only hold read (GET) permissions due to missing HTTP method validation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285 (Mapped as CWE-836)
- Attack Vector: Network (AV:N)
- CVSS Score: 4.3 (Medium)
- Impact: Integrity: Low (I:L), Confidentiality: None, Availability: None
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- Vikunja (go-vikunja)
-
Vikunja: < 2.3.0 (Fixed in:
2.3.0)
Code Analysis
Commit: 6a0f39b
Fix commit addressing method confusion in CanDoAPIRoute()
Exploit Details
- GitHub Security Advisory: Official Proof-of-Concept detailing the exploitation steps via token manipulation
Mitigation Strategies
- Upgrade to patched Vikunja version
- Audit scoped API token usage
- Restrict API token creation to trusted users
- Monitor access logs for unexpected DELETE/PUT operations
Remediation Steps:
- Identify the current running version of Vikunja.
- If the version is prior to 2.3.0, schedule an immediate upgrade.
- Download Vikunja version 2.3.0 or pull the latest stable Docker image.
- Deploy the update following the official Vikunja upgrade documentation.
- Review existing scoped API tokens and revoke any suspicious or unnecessary tokens.
References
- GitHub Security Advisory: GHSA-v479-vf79-mg83
- Fix Commit
- Fix Pull Request
- v2.3.0 Release Notes
- CVE Record
Read the full report for CVE-2026-40103 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)