DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33675: CVE-2026-33675: Server-Side Request Forgery (SSRF) in Vikunja Task Migration

#security #cve #cybersecurity

CVE-2026-33675: Server-Side Request Forgery (SSRF) in Vikunja Task Migration

Vulnerability ID: CVE-2026-33675
CVSS Score: 6.4
Published: 2026-03-25

A Server-Side Request Forgery (SSRF) vulnerability in Vikunja versions prior to 2.2.1 allows authenticated users to exfiltrate internal network resources during task migration operations.

TL;DR

Vikunja < 2.2.1 contains an SSRF flaw in its migration module due to unvalidated third-party URLs. Authenticated attackers can exploit this to read internal network data, such as cloud metadata services. The issue is resolved in version 2.2.2 via a centralized SSRF-safe HTTP client.

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS v3.1: 6.4 (Medium)
  • EPSS Score: 0.00034 (0.03%)
  • Impact: Information Disclosure, Internal Reconnaissance
  • Exploit Status: No known public exploits (None)
  • Authentication: Required (Low Privileges)

Affected Systems

  • Vikunja self-hosted task management platform
  • Vikunja: < 2.2.1 (Fixed in: 2.2.1)

Code Analysis

Commit: 9329774

Replace default http.Client with SSRF-safe client in migration helpers

-   hc := http.Client{}
-   resp, err := hc.Do(req) // #nosec G704 -- URL is from migration provider API
+   hc := utils.NewSSRFSafeHTTPClient()
+   resp, err := hc.Do(req)
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Vikunja to version 2.2.2 or later
  • Ensure OutgoingRequestsAllowNonRoutableIPs is set to false in config.yml
  • Implement network egress filtering to block access to 169.254.169.254 and private IP ranges

Remediation Steps:

  1. Download the latest Vikunja release (v2.2.2+) from the official repository.
  2. Apply the update to the application server following the standard upgrade procedure.
  3. Review config.yml and locate the 'outgoingrequests' block.
  4. Verify that 'OutgoingRequestsAllowNonRoutableIPs' is explicitly false.
  5. Restart the Vikunja service to apply the configuration changes.

References

Read the full report for CVE-2026-33675 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)