Vikunja Link Sharing JWT Authorization Bypass Vulnerability

A vulnerability in Vikunja's link sharing feature allows deleted or downgraded permissions to remain effective for up to 72 hours. This issue arises because the authorization process relies solely on JWT claims, without verifying against the database. As a result, when a project owner removes a link share or reduces its permissions, previously issued JWTs still provide the original access level for the duration of their validity. This vulnerability affects Vikunja versions prior to 2.3.0.

Impact

Link shares that have been deleted or downgraded in permissions can still be accessed using their JWTs for up to 72 hours, allowing unauthorized access to project resources. This issue disrupts the ability to manage link share permissions effectively and respond to security concerns in a timely manner.

Reproduction

To reproduce this vulnerability, first create a link share with admin-level permissions on a project. After obtaining the link share JWT, delete the share. The JWT will still be valid and grant admin access for up to 72 hours. Alternatively, downgrade a link share's permissions and observe that the old JWT still reflects the previous access level.

Remediation

Users can update to Vikunja version 2.3.0, which includes a fix that validates link share JWTs against the database, ensuring that revoked shares are properly recognized and unauthorized access is prevented.