GHSA-V479-VF79-MG83

Vulnerability from github – Published: 2026-04-10 15:36 – Updated: 2026-04-10 19:47
VLAI?
Summary
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
Details

Summary

Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected.

This is a scoped-token authorization bypass.

Details

I verified this locally on commit c5450fb55f5192508638cbb3a6956438452a712e.

Relevant code paths: * pkg/models/api_routes.go * pkg/routes/routes.go * pkg/modules/background/handler/background.go

Route registration exposes separate permissions for the same path: * GET /api/v1/projects/:project/background -> projects.background * DELETE /api/v1/projects/:project/background -> projects.background_delete

At enforcement time, CanDoAPIRoute() falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomes background, so the matcher accepts any token containing projects.background without re-checking the HTTP method or matching the stored route detail.

This matters because RemoveProjectBackground() is a real destructive operation: * It checks project update rights. * It deletes the background file if present. * It clears the project's BackgroundFileID.

PoC

  1. Log in as a user who can update a project that already has a background.
  2. Create an API token with only: {"projects":["background"]}
  3. Send: DELETE /api/v1/projects/<project_id>/background Authorization: Bearer <token>
  4. Observe that the request succeeds and the project background is removed.

For comparison: 1. Create an API token with only: {"projects":["background_delete"]} 2. Repeat the same DELETE request. 3. Observe that the request is rejected with 401 Unauthorized.

I confirmed this locally with three validations: 1. /api/v1/routes advertises both background and background_delete. 2. The matcher unit test proves CanDoAPIRoute() accepts DELETE for background. 3. The webtest proves a real API token with only background successfully deletes the background.

Impact

Scoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.

The attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker projects.background permission.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-836",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:36:47Z",
    "nvd_published_at": "2026-04-10T17:17:13Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nVikunja\u0027s scoped API token enforcement for custom project background routes is method-confused. A token with only `projects.background` can successfully delete a project background, while a token with only `projects.background_delete` is rejected.\n\nThis is a scoped-token authorization bypass.\n\n### Details\n\nI verified this locally on commit `c5450fb55f5192508638cbb3a6956438452a712e`.\n\nRelevant code paths:\n* `pkg/models/api_routes.go`\n* `pkg/routes/routes.go`\n* `pkg/modules/background/handler/background.go`\n\nRoute registration exposes separate permissions for the same path:\n* `GET /api/v1/projects/:project/background` -\u003e `projects.background`\n* `DELETE /api/v1/projects/:project/background` -\u003e `projects.background_delete`\n\nAt enforcement time, `CanDoAPIRoute()` falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomes `background`, so the matcher accepts any token containing `projects.background` without re-checking the HTTP method or matching the stored route detail.\n\nThis matters because `RemoveProjectBackground()` is a real destructive operation:\n* It checks project update rights.\n* It deletes the background file if present.\n* It clears the project\u0027s `BackgroundFileID`.\n\n### PoC\n\n1. Log in as a user who can update a project that already has a background.\n2. Create an API token with only:\n   `{\"projects\":[\"background\"]}`\n3. Send:\n   `DELETE /api/v1/projects/\u003cproject_id\u003e/background`\n   `Authorization: Bearer \u003ctoken\u003e`\n4. Observe that the request succeeds and the project background is removed.\n\n**For comparison:**\n1. Create an API token with only:\n   `{\"projects\":[\"background_delete\"]}`\n2. Repeat the same DELETE request.\n3. Observe that the request is rejected with `401 Unauthorized`.\n\nI confirmed this locally with three validations:\n1. `/api/v1/routes` advertises both `background` and `background_delete`.\n2. The matcher unit test proves `CanDoAPIRoute()` accepts DELETE for `background`.\n3. The webtest proves a real API token with only `background` successfully deletes the background.\n\n### Impact\n\nScoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.\n\nThe attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker `projects.background` permission.",
  "id": "GHSA-v479-vf79-mg83",
  "modified": "2026-04-10T19:47:00Z",
  "published": "2026-04-10T15:36:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2584"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.