CVE-2026-33312: Broken Object-Level Authorization (BOLA) in Vikunja Project Background Deletion
Vulnerability ID: CVE-2026-33312
CVSS Score: 5.3
Published: 2026-03-20
Vikunja versions 0.20.2 through 2.1.x suffer from a Broken Object Level Authorization (BOLA) vulnerability. The application fails to properly validate permissions on the project background deletion endpoint, allowing users with only read access to permanently delete background images. The vulnerability is fixed in version 2.2.0.
TL;DR
A medium-severity Incorrect Authorization flaw in Vikunja allows users with read-only access to permanently delete project background images via a crafted API request. The backend incorrectly checks for read permissions rather than update permissions during the deletion process.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS v4.0: 5.3 (Medium)
- Impact: Low Integrity
- Exploit Status: Proof of Concept
- CISA KEV: False
Affected Systems
- Vikunja API Backend
- Vikunja Project Management Module
-
Vikunja: >= 0.20.2, < 2.2.0 (Fixed in:
2.2.0)
Mitigation Strategies
- Upgrade Vikunja to version 2.2.0
- Restrict the generation and distribution of read-only link shares
- Audit project memberships to ensure strict least-privilege access
Remediation Steps:
- Download the latest Vikunja release (v2.2.0 or higher) from the official repository
- Backup the existing Vikunja database and storage volumes
- Apply the update following standard Vikunja deployment procedures (Docker or binary replacement)
- Verify the update by testing a deletion attempt with a read-only account to ensure a 403 Forbidden response
References
Read the full report for CVE-2026-33312 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)