LoginSign Up
← Back to all sparks
V

Vikunja

PM
Velocity0.0

Open-source self-hostable to-do app for teams.

vikunja.io

Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.

security hardeningssrf protectionidor fixesaccount lockoutself-hostedtask management
Current state
Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.
Where it's heading
The arc moves from feature-completion (S3 storage, drag-and-drop project moves, hover previews in late 2025) toward platform credibility — closing security gaps a self-hosted task tool needs to clear before serious team adoption. The rapid version-number jump from v1.0.0-rc4 to v2.2.1 in two months suggests v1.0 shipped and the team tagged a v2 line aimed at addressing accumulated authz debt. Expect the next several releases to keep the security-first posture rather than return to a feature push.
Prediction
The next release will likely continue closing remaining authz edges (more IDOR audits, additional credential-stripping in API responses) and bundle a translations and dependency sweep. A user-facing feature push probably waits until the security work plateaus.

Recent moves

  1. 1mo ago

    v2.2.1: SSRF and IDOR patches plus disabled-account enforcement

    ⚡ SPARK

    v2.2.1 is almost entirely security work — three named SSRF advisories closed, a task-attachment IDOR (GHSA-jfmm-mjcp-8wq2) fixed, BasicAuth credentials stripped from webhook API responses, and disabled/locked accounts now rejected uniformly across OIDC, API tokens, CalDAV, and LDAP. The shared SSRF-safe HTTP client introduced here becomes the new internal contract for any code that fetches a user-provided URL.

    View source ↗
  2. 3mo ago

    v1.0.0-rc4: drag-and-drop project moves, file-storage validation

    RC4 is the polish lap before v1.0 — 272 commits dominated by bug fixes and dependency updates, with a handful of usability wins: drag-and-drop to move tasks between projects, a startup check that file storage is writeable, and clipboard shortcuts for task identifiers. Sets up the v1.0 GA that the v2 security work would later build on.

    View source ↗
  3. 5mo ago

    v1.0.0-rc3: S3 storage, comment counts, hover task previews

    RC3 pulled in 399 commits and added the kind of features that let Vikunja serve teams rather than individuals: S3 storage support, mention highlighting in comments, a configurable 12h/24h time display, and hover-card previews for tasks in list and table views. Visible groundwork for the team-adoption posture the v2 security work later targets.

    View source ↗