GHSA-2vq4-854f-5c72 / CVE-2026-35595: the recursive permission CTE
cascades Admin from any owned ancestor, so a user with Write on a
shared project could reparent it under an attacker-owned root and
resolve as Admin on the moved project via the new parent.
Require Admin on both the moved project and the new parent whenever
parent_project_id is set to a non-zero value that differs from the
stored value. The gate lives in UpdateProject rather than CanUpdate
because CanUpdate is reused by permission-check-only callers
(buckets, webhooks, task ops) that pass stub &Project{ID:...} values
with ParentProjectID=0 and never commit a reparent — gating there
would spuriously trip the check for every such call.
Only non-zero ParentProjectID is gated: the generic update handler
binds a fresh struct, so an omitted parent_project_id is
indistinguishable from an explicit 0. Detach-to-root via the generic
endpoint is therefore out of scope for this fix and is tracked as a
follow-up (needs a pointer field to disambiguate).
|
||
|---|---|---|
| .claude | ||
| .github | ||
| .vscode | ||
| .zed | ||
| build | ||
| contrib | ||
| desktop | ||
| examples/plugins/example | ||
| frontend | ||
| pkg | ||
| rest | ||
| .devcontainer.json | ||
| .dockerignore | ||
| .editorconfig | ||
| .envrc | ||
| .gitignore | ||
| .golangci.yml | ||
| .opensourcefinder-verify | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| CONTRIBUTING.md | ||
| CRUSH.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| cliff.toml | ||
| code-header-template.txt | ||
| conductor.json | ||
| config-raw.json | ||
| crowdin.yml | ||
| devenv.lock | ||
| devenv.nix | ||
| devenv.yaml | ||
| go.mod | ||
| go.sum | ||
| magefile.go | ||
| main.go | ||
| nfpm.yaml | ||
| publiccode.yml | ||
| renovate.json | ||
| tsconfig.json | ||
| vikunja.initd | ||
| vikunja.service | ||
README.md
Vikunja
The Todo-app to organize your life.
If Vikunja is useful to you, please consider buying me a coffee, sponsoring me on GitHub or buying a sticker pack. I'm also offering a hosted version of Vikunja if you want a hassle-free solution for yourself or your team.
Table of contents
Security Reports
If you find any security-related issues you don't want to disclose publicly, please use the contact information on our website.
Features
See the features page on our website for a more exhaustive list or try it on try.vikunja.io!
Docs
All docs can be found on the Vikunja home page.
Roadmap
See the roadmap (hosted on Vikunja!) for more!
Contributing
Please check out the contribution guidelines on the website.
License
Most of this repository is licensed under AGPL‑3.0‑or‑later.
The contents of desktop/ are licensed under
GPL‑3.0‑or‑later.
Unsplash Images
Background images from Unsplash are distributed under the Unsplash License. The license requires giving credit to the photographer and Unsplash. See Unsplash’s terms for more information.