CVE-2026-33678

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2	Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.2-was-released	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

History

30 Mar 2026, 13:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:vikunja:vikunja::::::::
References	~~() https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2 -~~	() https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2 - Exploit, Vendor Advisory
References	~~() https://vikunja.io/changelog/vikunja-v2.2.2-was-released -~~	() https://vikunja.io/changelog/vikunja-v2.2.2-was-released - Release Notes
First Time		Vikunja vikunja Vikunja

Information

Published : 2026-03-24 16:16

Updated : 2026-03-30 13:57

NVD link : CVE-2026-33678

Mitre link : CVE-2026-33678

CVE.ORG link : CVE-2026-33678

JSON object : View

Products Affected

vikunja

vikunja

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-33678", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-24T16:16:35.270", "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. Antes de la versi\u00f3n 2.2.1, 'TaskAttachment.ReadOne()' consulta los adjuntos solo por ID ('WHERE id = ?'), ignorando el ID de la tarea de la ruta URL. La verificaci\u00f3n de permisos en 'CanRead()' valida el acceso a la tarea especificada en la URL, pero 'ReadOne()' carga un adjunto diferente que puede pertenecer a una tarea en otro proyecto. Esto permite a cualquier usuario autenticado descargar o eliminar cualquier adjunto en el sistema proporcionando su propio ID de tarea accesible junto con un ID de adjunto objetivo. Los ID de los adjuntos son enteros secuenciales, lo que hace que la enumeraci\u00f3n sea trivial. La versi\u00f3n 2.2.1 corrige el problema."}], "lastModified": "2026-03-30T13:57:13.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}