Vikunja vs Leantime: Comparison & Alternatives (2026)

Vikunja vs Leantime: at a glance

Feature	Vikunja	Leantime
Sector	PM	PM
Velocity score	0.0	6.3
Sparks · 30d	0	1
Top themes	security hardening, ssrf protection, idor fixes, account lockout	authentication, permissions, json-rpc-api, mobile
Last editorial update	1mo ago	4d ago
Website	Visit →	Visit →

What is Vikunja?

Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.

Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.

Read the full Vikunja trajectory →

What is Leantime?

Leantime hardens its new permission engine through a rapid-fire auth patch cycle.

Leantime just shipped 3.9.0, a ground-up permission engine that replaced ad-hoc role checks with centralized, fail-closed authorization across every domain, landing alongside a JSON-RPC API layer and mobile push tokens. The 3.9.1 through 3.9.4 point releases that followed are almost entirely auth stabilization: Bearer and personal-access-token authentication broke under the new Sanctum guard and took four patches to fully settle. The project is mid-transition from a legacy PHP codebase to a modern Laravel, Blade, and JSON-RPC stack.

Read the full Leantime trajectory →

Vikunja vs Leantime: editorial side-by-side

V

Vikunja

PM

0.0

Vikunja crossed the v1.0 finish line and pivoted hard into security hardening.

◆ Current state

Vikunja shipped two v1.0 release candidates through late 2025 and early 2026, then jumped to a v2 series whose first widely-tagged point release, v2.2.1, is dominated by security work. The latest release patches multiple SSRF and IDOR vulnerabilities, enforces disabled/locked-account semantics across every auth surface (OIDC, API tokens, CalDAV, LDAP), and adds a shared SSRF-safe HTTP client that webhooks and migrations now route through. User-facing feature work has slowed; the visible energy is in plumbing and audit cleanup.

◆ Where it's heading

The arc moves from feature-completion (S3 storage, drag-and-drop project moves, hover previews in late 2025) toward platform credibility — closing security gaps a self-hosted task tool needs to clear before serious team adoption. The rapid version-number jump from v1.0.0-rc4 to v2.2.1 in two months suggests v1.0 shipped and the team tagged a v2 line aimed at addressing accumulated authz debt. Expect the next several releases to keep the security-first posture rather than return to a feature push.

◆ Prediction

The next release will likely continue closing remaining authz edges (more IDOR audits, additional credential-stripping in API responses) and bundle a translations and dependency sweep. A user-facing feature push probably waits until the security work plateaus.

L

Leantime

PM

6.3

Leantime hardens its new permission engine through a rapid-fire auth patch cycle.

◆ Current state

Leantime just shipped 3.9.0, a ground-up permission engine that replaced ad-hoc role checks with centralized, fail-closed authorization across every domain, landing alongside a JSON-RPC API layer and mobile push tokens. The 3.9.1 through 3.9.4 point releases that followed are almost entirely auth stabilization: Bearer and personal-access-token authentication broke under the new Sanctum guard and took four patches to fully settle. The project is mid-transition from a legacy PHP codebase to a modern Laravel, Blade, and JSON-RPC stack.

◆ Where it's heading

The direction is a comprehensive backend re-architecture, with the permission engine, JSON-RPC API, completed Blade template unification, and experimental Postgres support all converging on a cleaner, API-first core. The recent burst of Bearer-auth fixes shows the team paying down the regressions the permission-engine rollout introduced rather than adding new surface. Mobile is the next frontier: the 3.8.0 TestFlight API groundwork and 3.9.0 push tokens point to a native app nearing release.

◆ Prediction

Expect the auth-fix cadence to slow as the Bearer regressions settle, with attention shifting toward the mobile app's public launch and broader JSON-RPC endpoint coverage.

Alternatives to Vikunja and Leantime

Other PM products tracked by Sparkpulse, ranked by recent ship velocity. Each card links to a full editorial trajectory and lets you pivot into a head-to-head comparison with either Vikunja or Leantime.

T

Teamhood

Teamhood's recent feed is all comparison SEO, leaning hard into construction PM

Velocity 5.0

Compare with Vikunja →Compare with Leantime →

C

Celoxis

Celoxis's feed is SEO comparison articles, not product releases

Velocity 5.0

Compare with Vikunja →Compare with Leantime →

H

HoneyBook

HoneyBook's feed is blog and competitor-comparison content, not a product release log

Velocity 6.3

Compare with Vikunja →Compare with Leantime →

A

Atlassian

Atlassian threads Rovo AI through the developer loop while its blog leans on case studies

Velocity 8.8

Compare with Vikunja →Compare with Leantime →

U

Unito

Unito's tracked feed is its content-marketing blog, not a product changelog — no shipped moves to read.

Velocity 5.0

Compare with Vikunja →Compare with Leantime →

P

Planview

Planview's feed is strategic-portfolio thought leadership, not release notes — product signal is absent.

Velocity 5.0

Compare with Vikunja →Compare with Leantime →

See all Vikunja alternatives → · See all Leantime alternatives →

Recent activity from Vikunja and Leantime

Latest ship moves from both products, interleaved chronologically. ⚡ = editorial spark.

5d agoLeantimeCross-project 'My Work' loading fixed; mark-done action secured
5d agoLeantimeUnified session factory across web, API-key, and Bearer auth
6d agoLeantimeRoute-cache self-heal and Bearer/PAT token auth fix
7d agoLeantimeBearer API context restored; JSON-RPC contract tests + CI gate
7d agoLeantimeNative permission engine, JSON-RPC API, and mobile push ⚡
22d agoLeantimeBlade migration completed; mobile API surface and task collaborators
2mo agoVikunjav2.2.1: SSRF and IDOR patches plus disabled-account enforcement ⚡
4mo agoVikunjav1.0.0-rc4: drag-and-drop project moves, file-storage validation
6mo agoVikunjav1.0.0-rc3: S3 storage, comment counts, hover task previews

Frequently asked questions

What is the difference between Vikunja and Leantime?

They serve adjacent needs but don't currently overlap on shipped themes. Leantime is currently shipping more aggressively (velocity 6.3 vs 0.0), with 1 editorial sparks in the last 30 days against 0. See the at-a-glance table above for a side-by-side breakdown of velocity, recent sparks, and editorial themes.

Is Vikunja better than Leantime?

Sparkpulse doesn't pick a winner — we score release velocity, not feature parity. Leantime is currently shipping more aggressively (velocity 6.3 vs 0.0), with 1 editorial sparks in the last 30 days against 0. For your specific use case, the alternatives sections above list other PM products to evaluate alongside.

What are the best alternatives to Vikunja?

Top Vikunja alternatives in PM are ranked by recent ship velocity. Browse the "Vikunja alternatives" section above for the current picks, or visit /alternatives/vikunja for the full list with editorial commentary on each.

What are the best alternatives to Leantime?

Top Leantime alternatives in PM are ranked by recent ship velocity. Browse the "Leantime alternatives" section above for the current picks, or visit /alternatives/leantime for the full list with editorial commentary on each.