Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.
AnalysisAI
A permission-check bypass vulnerability exists in Vikunja versions 0.20.2 through 2.1.x where the DELETE /api/v1/projects/:project/background endpoint incorrectly validates CanRead permissions instead of CanUpdate permissions, allowing read-only project members to permanently delete a project's background image. This affects the go-vikunja:vikunja product family, and the vulnerability has been patched in version 2.2.0 as documented in the GitHub security advisory GHSA-564f-wx8x-878h.
Technical ContextAI
Vikunja is an open-source self-hosted task management platform written in Go (cpe:2.3:a:go-vikunja:vikunja). The vulnerability stems from incorrect authorization logic in the REST API endpoint responsible for background image management. The root cause is classified under CWE-863 (Incorrect Authorization), a design-level flaw where the application fails to enforce proper role-based access control. Specifically, the endpoint checks for read-only access (CanRead capability) when it should enforce write or administrative access (CanUpdate capability), allowing privilege escalation where read-only users can perform destructive administrative operations on shared project resources.
RemediationAI
Upgrade Vikunja to version 2.2.0 or later immediately. This patch corrects the authorization logic to require CanUpdate permissions for background deletion. Users unable to upgrade immediately should restrict project read-only access to trusted users only, implement network-level access controls to limit API exposure, and audit project member permissions to remove unnecessary read-only grants. For self-hosted deployments, consider temporarily disabling background image functionality via configuration if available. Consult the vendor advisory at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-564f-wx8x-878h for deployment-specific guidance.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13708
GHSA-564f-wx8x-878h