GHSA-v479-vf79-mg83
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v479-vf79-mg83
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v479-vf79-mg83/GHSA-v479-vf79-mg83.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v479-vf79-mg83
- Aliases
-
- CVE-2026-40103
- Published
- 2026-04-10T15:36:47Z
- Modified
- 2026-04-10T20:03:49.659198Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
- Details
-
Summary
Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only
projects.backgroundcan successfully delete a project background, while a token with onlyprojects.background_deleteis rejected.This is a scoped-token authorization bypass.
Details
I verified this locally on commit
c5450fb55f5192508638cbb3a6956438452a712e.Relevant code paths: *
pkg/models/api_routes.go*pkg/routes/routes.go*pkg/modules/background/handler/background.goRoute registration exposes separate permissions for the same path: *
GET /api/v1/projects/:project/background->projects.background*DELETE /api/v1/projects/:project/background->projects.background_deleteAt enforcement time,
CanDoAPIRoute()falls back to the parent group and reconstructs the child permission from the path segments only. For the DELETE request, that becomesbackground, so the matcher accepts any token containingprojects.backgroundwithout re-checking the HTTP method or matching the stored route detail.This matters because
RemoveProjectBackground()is a real destructive operation: * It checks project update rights. * It deletes the background file if present. * It clears the project'sBackgroundFileID.PoC
- Log in as a user who can update a project that already has a background.
- Create an API token with only:
{"projects":["background"]} - Send:
DELETE /api/v1/projects/<project_id>/backgroundAuthorization: Bearer <token> - Observe that the request succeeds and the project background is removed.
For comparison: 1. Create an API token with only:
{"projects":["background_delete"]}2. Repeat the same DELETE request. 3. Observe that the request is rejected with401 Unauthorized.I confirmed this locally with three validations: 1.
/api/v1/routesadvertises bothbackgroundandbackground_delete. 2. The matcher unit test provesCanDoAPIRoute()accepts DELETE forbackground. 3. The webtest proves a real API token with onlybackgroundsuccessfully deletes the background.Impact
Scoped API tokens can exceed their intended capability. A token intended for project background access can delete project backgrounds, which weakens the trust model for automation and third-party integrations that rely on narrowly scoped tokens.
The attacker needs a valid API token created by a user who has update rights on the target project, but the token itself only needs the weaker
projects.backgroundpermission. - Database specific
{ "nvd_published_at": "2026-04-10T17:17:13Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-836", "CWE-863" ], "github_reviewed_at": "2026-04-10T15:36:47Z" }- References
-
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83
- https://nvd.nist.gov/vuln/detail/CVE-2026-40103
- https://github.com/go-vikunja/vikunja/pull/2584
- https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae
- https://github.com/go-vikunja/vikunja
- https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0
Affected packages
Go / code.vikunja.io/api
Package
- Name
- code.vikunja.io/api
- View open source insights on deps.dev
- Purl
- pkg:golang/code.vikunja.io/api