Vikunja Scoped API Token Authorization Bypass Vulnerability

A scoped API token authorization bypass vulnerability has been identified in Vikunja, a self-hosted task management platform, prior to version 2.3.0. The issue arises from method confusion in the token enforcement for custom project background routes. A token granted the 'projects.background' permission can successfully delete a project background, while a token with 'projects.background_delete' is denied. This vulnerability allows tokens to exceed their intended capabilities, particularly in automated processes and third-party integrations that rely on precise token scopes.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of project backgrounds, a destructive action that removes background files and clears associated project data. This undermines the trust model for API token permissions, especially for integrations that depend on correctly scoped access rights.

Reproduction

To reproduce this vulnerability, log in as a user with the ability to update projects that have backgrounds. Create an API token with only the 'projects.background' permission. Then, send a DELETE request to the '/api/v1/projects/<project_id>/background' endpoint, including the token in the Authorization header. The request will succeed, removing the project background. In contrast, a token with only the 'projects.background_delete' permission will be rejected, demonstrating the authorization bypass.

Remediation

Users are advised to update Vikunja to version 2.3.0 or later, where this vulnerability has been fixed.