What is the CVSS score of CVE-2026-35594?

CVE-2026-35594 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-35594?

Yes, a patch is available for CVE-2026-35594. Update the affected software to the latest version immediately.

Vikunja CVE-2026-35594

EUVD-2026-21417 MEDIUM

Insufficient Session Expiration (CWE-613)

2026-04-10 GitHub_M

GHSA-96q5-xm3p-7m84

Information Disclosure Vikunja

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 16:00 euvd

EUVD-2026-21417

Analysis Generated

Apr 10, 2026 - 16:00 vuln.today

CVE Published

Apr 10, 2026 - 15:55 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.

AnalysisAI

Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication, allowing attackers with revoked or downgraded JWT tokens to maintain the original access level for up to 72 hours. This affects self-hosted task management deployments where link shares are used for collaboration, enabling unauthorized information disclosure and modification of shared projects even after a project owner explicitly revokes or restricts access.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 6.5 (Medium) score reflects the moderate but real-world impact: network-accessible, unauthenticated attack surface (AV:N, PR:N) with low complexity (AC:L), but limited scope (information disclosure and modification only, no system-wide impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker obtains a Vikunja link share URL (e.g., shared by a collaborator or discovered via OSINT) that grants read access to a project. The project owner later realizes the link was leaked, revokes the share via the Vikunja UI, and believes access is terminated. …
Remediation	Vendor-released patch: Vikunja 2.3.0 and later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35594 vulnerability details – vuln.today

Back

Vikunja CVE-2026-35594

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code