CVE-2026-33677

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3	Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.2-was-released	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 16:16

Updated : 2026-03-27 16:29

NVD link : CVE-2026-33677

Mitre link : CVE-2026-33677

CVE.ORG link : CVE-2026-33677

JSON object : View

Products Affected

vikunja

vikunja

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2026-33677", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-24T16:16:35.113", "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.1, el endpoint 'GET /API/v1/projects/:project/webhooks' devuelve las credenciales BasicAuth del webhook ('basic_auth_user' y 'basic_auth_password') en texto plano a cualquier usuario con acceso de lectura al proyecto. Si bien el c\u00f3digo existente enmascara correctamente el campo 'secret' de HMAC, los campos BasicAuth a\u00f1adidos en una migraci\u00f3n posterior no recibieron el mismo tratamiento. Esto permite a los colaboradores de solo lectura robar credenciales destinadas a la autenticaci\u00f3n contra receptores de webhook externos. La versi\u00f3n 2.2.1 corrige el problema."}], "lastModified": "2026-03-27T16:29:43.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}