CVE-2026-27819
📋 TL;DR
This vulnerability in Vikunja allows attackers to overwrite arbitrary files on the host system by uploading a malicious ZIP archive during configuration restoration. It can also crash the application and permanently wipe the database. All self-hosted Vikunja instances prior to version 2.0.0 are affected.
💻 Affected Systems
- Vikunja
📦 What is this software?
Vikunja by Vikunja
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file overwrite leading to remote code execution, combined with permanent database destruction and service disruption.
Likely Case
Service disruption through application crash and database loss, potentially combined with file system manipulation.
If Mitigated
Limited impact if proper network segmentation and file system permissions prevent lateral movement.
🎯 Exploit Status
Exploitation requires access to the configuration restore feature, typically requiring administrative privileges. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-42wg-38gx-85rh
Restart Required: Yes
Instructions:
1. Backup your Vikunja data and configuration. 2. Stop the Vikunja service. 3. Update to version 2.0.0 or later using your package manager or by downloading from the official repository. 4. Restart the Vikunja service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable configuration restore functionality
allRemove or restrict access to the configuration restore feature in Vikunja's web interface or API.
# Modify Vikunja configuration to disable restore functionality
# Check Vikunja documentation for specific configuration options
Implement strict file system permissions
linuxRun Vikunja with minimal privileges and implement strict file system access controls.
# Run Vikunja as non-root user
sudo chown -R vikunja:vikunja /path/to/vikunja/data
sudo chmod 750 /path/to/vikunja/data
🧯 If You Can't Patch
- Disable or restrict access to the configuration restore feature entirely
- Implement network segmentation to isolate Vikunja instances from critical systems
🔍 How to Verify
Check if Vulnerable:
Check your Vikunja version. If it's below 2.0.0, you are vulnerable.Check Version:
vikunja --version or check the web interface's about pageVerify Fix Applied:
After updating, verify the version is 2.0.0 or higher and test that configuration restore functionality works without crashing.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes during configuration restore
- File system access errors outside expected directories
- Large ZIP file uploads to restore endpoints
Network Indicators:
- HTTP POST requests to /api/v1/config/restore or similar endpoints with ZIP files
- Unusual outbound connections after configuration restore
SIEM Query:
source="vikunja" AND (event="panic" OR event="crash" OR uri_path="/api/v1/config/restore")