Release notes from vikunja

v2.3.0

2026-04-09T19:53:26Z

🦙 Vikunja 2.3.0 is out! 11 security fixes, a new plugin system, quick-entry window for the desktop app, Vikunja as an OAuth 2.0 provider, WeKan + CSV imports, and more across 277 commits. Updating soon is highly reccomended!

https://vikunja.io/changelog/whats-new-in-vikunja-2.3.0

v2.2.2

2026-03-23T21:35:07Z

🔒 Vikunja 2.2.2 is out: nine security fixes including a critical chain that could expose instance-wide data. Also adds centralized SSRF protection and a few nice bug fixes. Please update soon!

(2.2.1 has been released as well but did not fix the issues fully, therefore I went and pushed 2.2.2 right after)

https://vikunja.io/changelog/vikunja-v2.2.2-was-released

v2.2.1: [2.2.1] - 2026-03-23

2026-03-23T18:50:19Z

Bug Fixes

(auth) Reject disabled/locked users in OIDC callback
(auth) Reject disabled/locked users in API token middleware
(auth) Return correct error type for locked users in OIDC callback
(auth) Reject disabled/locked users in CheckUserCredentials
(auth) Skip profile updates for disabled LDAP users
(caldav) Replace href with pathname from parseURL for api base
(frontend) OrigUrlToCheck references the same object as urlToCheck
(openid) Merge VikunjaGroups and ExtraSettingsLinks from userinfo
(user) Reject disabled/locked users in getUser by default
(user) Handle status errors in pkg/user callers, remove redundant checks
(user) Handle status errors across the codebase, remove redundant checks
(user) Use getUser directly for uniqueness checks in UpdateUser
(user) Use unique error code for ErrCodeAccountLocked
Remove small class from preset label (652eb9b)
Include kanban bucket move permission in tasks preset (0085772)
Prevent TOTP passcode reuse within validity window (5f06e1d)
Update TOTP reuse test to use user10 matching rebased fixture (acafa6d)
Add TTL-based expiry and cleanup for used TOTP passcode entries (0f98c19)
Check child project's own IsArchived flag in CheckIsArchived (d0606ea)
Update ParadeDB search test count for new fixture (595002b)
Filter related tasks by project access to prevent cross-project info disclosure (67a4778)
Prevent attachment IDOR by validating task_id in ReadOne (GHSA-jfmm-mjcp-8wq2) (b8edc8f)
Prevent link share IDOR by validating project_id in Delete and ReadOne (654d2c7)
Prevent SSRF via OpenID Connect avatar download (GHSA-g9xj-752q-xh63) (363aa66)
Prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr) (9329774)
Prevent SSRF via Microsoft Todo migration pagination links (73edbb6)
Prevent SSRF via Unsplash background image download (a94109e)
Block link share users from listing link shares in ReadAll (9efe1fa)
Correct error message assertion in linkshare ReadAll tests (a0478a0)
Strip BasicAuth credentials from project webhook API responses (75c9b75)
Strip BasicAuth credentials from user webhook API responses (6aef5af)
Use MySQL-compatible CREATE INDEX in migration 20260224215050 (867c527)
Skip quick add magic parsing when text is wrapped in quotes (07b9742)

Dependencies

(deps) Update dependency rollup to v4.60.0
(deps) Update dependency caniuse-lite to v1.0.30001781
(deps) Update flatted to 3.4.2 to fix prototype pollution vulnerability
(deps) Update dev-dependencies
(deps) Update dev-dependencies to v8.57.2

Documentation

Mention mole proxy in outgoingrequests config docs (701e3f9)

Features

(user) Add ErrAccountLocked error type
Add quick presets for API token permission selection (68097cf)
Add outgoingrequests config keys for centralized SSRF protection (f96b53f)
Add shared SSRF-safe HTTP client utility (0266fff)

Miscellaneous Tasks

(ci) Update golangci-lint to v2.10.1
(i18n) Update translations via Crowdin
(lint) Suppress known gosec false positives
(lint) Suppress additional gosec false positives
(lint) Suppress gosec false positives on SSRF-safe HTTP client calls

Refactor

(user) Export IsErrUserStatusError for use across packages
Reorganize quick add magic into focused modules (cb81cf1)
Add accessibleProjectIDsSubquery helper for project-level authz filtering (e2683bb)
Use accessibleProjectIDsSubquery in addBucketsToTasks (833f2ae)
Use shared SSRF-safe HTTP client in webhook code (e5a1c05)

Testing

(auth) Add comprehensive disabled/locked user auth tests
Add TOTP fixture and load it in user test bootstrap (de58f63)
Add failing test for TOTP passcode reuse prevention (5591ca9)
Add API token fixture for disabled user (198322c)
Verify disabled user's API token is rejected (e4379ef)
Verify disabled user is rejected via CalDAV auth (8b614a4)
Verify GetUserByID rejects disabled users and returns user with error (525f5ee)
Add cross-project task relation fixture for authz test (589d2a5)
Add failing test for cross-project task relation info disclosure (50c3eeb)
Add attachment fixture on inaccessible task for IDOR test (b2c3c36)
Add IDOR test for task attachment ReadOne (GHSA-jfmm-mjcp-8wq2) (3111f3d)
Use new outgoingrequests config keys in SSRF tests (d4d88c0)
Remove redundant webhook SSRF tests (848a4e7)
Add BasicAuth credentials to webhook fixture (094ff5f)
Add failing test for webhook BasicAuth credential exposure (751ab2c)
Update user count assertions for new locked user fixture (c1418c1)
Add failing tests for quote-escaped task text parsing (8538b4c)

v2.2.0

2026-03-20T13:42:37Z

🔒 Vikunja 2.2.0 is out! 10 security fixes (update now!), plus task duplication, an improved Gantt chart with subtask hierarchy & dependency arrows, and user-level webhooks. 237 commits of goodness 🚀

Check out the release post for a more in-depth view: https://vikunja.io/changelog/vikunja-v2.2.0-was-released

v2.1.0

2026-02-27T14:26:53Z

🎉 Just two days after the last release, Vikunja 2.1.0 is now released!

🔒 Fixes a security issue with password reset tokens and adds a nice touch: checklist indicators now turn green when all items are done!

Check out the full release post on the website: https://vikunja.io/changelog/vikunja-v2.1.0-was-released/

v2.0.0

2026-02-25T13:58:47Z

This release fixes 4 critical security issues. Please upgrade as soon as you can!

Check out the full release notes here: https://vikunja.io/changelog/vikunja-v2.0.0-was-released/

v1.1.0

2026-02-09T10:34:29Z

It's v1.1.0 already!

This release contains a security fix. Upgrading is highly recommended.

Check out the full release post here: https://vikunja.io/changelog/vikunja-v1.1.0-was-released/

v1.0.0

2026-01-28T11:12:59Z

v1.0.0 is here!

Check out the release post for all highlights: https://vikunja.io/changelog/whats-new-in-vikunja-1.0.0/

v1.0.0-rc4

2026-01-24T21:03:35Z

This is the 5th release candidate of v1.0.0. 272 commits have been made, most of them bug fixes and refactors but also many dependency updates. Some small new features as well, most notably:

Validate file storage is writeable on startup (#2053)
Add setting to always show bucket task count (#1966)
Move tasks between projects with drag and drop (#1945)
Format user mentions with display names in email notifications (#1930)
Add shortcut to quickly copy task identifier, title and url to clipboard (#2028)

Please test this release thoroughly and report any issues you find.

The full release changelog is available in the repo.

v1.0.0-rc3

2025-11-27T22:36:59Z

This is the fourth release candidate of v1.0.0. 399 commits have been made, most of them bug fixes but also many dependency updates. Some new features as well, most notably:

Support for S3 storage (#1688) - thanks to @maggch97!
Proper highlighting for user mentions in task description & comments (#1754) - thanks to @maggch97!
Show comment count on tasks (#1771) - thanks to @mithileshgupta12
Replace PNG-based initials avatar with SVG generation (#1802)
Add time display with configurable format (12h/24h) to non-relative date formats (#1807)
Task card preview when hovering over task title in list and table view (#1863)

Please test this release thoroughly and report any issues you find.

The full release changelog is available in the repo.