CVE-2026-33677: CVE-2026-33677: Plaintext Credential Exposure in Vikunja Webhook API

#security #cve #cybersecurity

CVE-2026-33677: Plaintext Credential Exposure in Vikunja Webhook API

Vulnerability ID: CVE-2026-33677
CVSS Score: 6.5
Published: 2026-03-25

Vikunja versions prior to 2.2.1 suffer from a medium-severity information disclosure vulnerability (CWE-200). The webhook management API fails to redact Basic Authentication credentials during serialization, exposing plaintext usernames and passwords intended for external systems to any user with read-only project access.

TL;DR

A flaw in Vikunja's API data serialization layer exposes unredacted Basic Authentication webhook credentials to unauthorized, low-privileged collaborators.

Technical Details

Vulnerability Type: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Attack Vector: Network (Authenticated API Request)
CVSS v3.1 Score: 6.5 (Medium)
EPSS Score: 0.00031 (8.70th percentile)
Privileges Required: Low (Read-only project access)
Exploit Status: Unexploited / No public PoC
CISA KEV: Not Listed

Affected Systems

Vikunja Open Source Task Management Platform
Vikunja: < 2.2.1 (Fixed in: 2.2.1)

Mitigation Strategies

Upgrade Vikunja to patched version 2.2.1 or higher
Implement credential rotation for all exposed external systems
Audit webhook configurations for unnecessary use of high-privileged service accounts

Remediation Steps:

Download the latest Vikunja release (v2.2.1+) from the official repository.
Apply the update following the standard Vikunja upgrade documentation for your deployment type (Docker, binary, etc.).
Identify all projects currently utilizing webhooks with Basic Authentication.
Navigate to the external systems receiving these webhooks and regenerate the service account passwords.
Update the webhook configurations in Vikunja with the newly generated, securely stored credentials.