DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33676: CVE-2026-33676: Cross-Project Information Disclosure in Vikunja API

#security #cve #cybersecurity

CVE-2026-33676: Cross-Project Information Disclosure in Vikunja API

Vulnerability ID: CVE-2026-33676
CVSS Score: 6.5
Published: 2026-03-25

CVE-2026-33676 is an Incorrect Authorization (CWE-863) vulnerability in the Vikunja task management platform. The application fails to enforce project-level access controls when the API populates related tasks, allowing authenticated users to read sensitive task details across projects they are not authorized to access. The vulnerability was patched in version 2.2.1.

TL;DR

Vikunja versions prior to 2.2.1 contain a flaw in API data hydration where task relations are fetched without verifying project-level read permissions. Authenticated users can exploit this to view full task metadata (descriptions, due dates, priorities) from unauthorized private projects.

Technical Details

  • CWE ID: CWE-863
  • Attack Vector: Network
  • CVSS v3.1 Score: 6.5
  • EPSS Score: 0.00028
  • Confidentiality Impact: High
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • Vikunja API Server < 2.2.1
  • Vikunja: < 2.2.1 (Fixed in: 2.2.1)

Code Analysis

Commit: 833f2ae

Fix: enforce authorization checks on related tasks hydration using accessibleProjectIDsSubquery.

Mitigation Strategies

  • Upgrade Vikunja to version 2.2.1 or higher.
  • Audit existing cross-project task relationships for sensitive data exposure.
  • Review application logs for anomalous API requests originating from low-privilege accounts.

Remediation Steps:

  1. Download the latest release of Vikunja (version 2.2.1+).
  2. Follow standard deployment procedures to update the API server binary or container image.
  3. Verify the application starts successfully and database migrations are applied.
  4. Validate the fix by attempting to reproduce the cross-project data read using an unauthorized test account.

References

Read the full report for CVE-2026-33676 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)