CVE-2026-33678: Insecure Direct Object Reference in Vikunja Task Attachments
Vulnerability ID: CVE-2026-33678
CVSS Score: 8.1
Published: 2026-03-25
Vikunja versions prior to 2.2.1 suffer from a critical Insecure Direct Object Reference (IDOR) vulnerability in the task attachment API. The flaw allows authenticated attackers to bypass authorization controls and systematically read or delete arbitrary file attachments across the entire application instance.
TL;DR
An IDOR in Vikunja's attachment endpoint allows low-privileged attackers to read or delete any file on the instance by enumerating sequential attachment IDs.
Technical Details
- CWE ID: CWE-639
- Attack Vector: Network
- CVSS Score: 8.1
- EPSS Score: 0.00028
- Exploit Status: None
- KEV Status: Not Listed
- Impact: Confidentiality, Integrity
Affected Systems
- Vikunja API Server < 2.2.1
-
Vikunja: < 2.2.1 (Fixed in:
2.2.1)
Mitigation Strategies
- Upgrade the application to a patched release version
- Implement WAF rate limiting on attachment endpoints to slow down enumeration
- Deploy SIEM detection logic for anomalous sequential ID access patterns
Remediation Steps:
- Review current installed version of Vikunja
- Backup database and current attachment file storage
- Pull the v2.2.1 container image or download the v2.2.1 binary
- Restart the Vikunja service and verify the application functions properly
- Review access logs for the
/api/v1/tasks/*/attachments/*endpoint to identify historical exploitation
References
- GitHub Security Advisory GHSA-jfmm-mjcp-8wq2
- Vikunja Changelog
- CVE.org Record for CVE-2026-33678
- NVD Entry for CVE-2026-33678
- Combined Chain Advisory
Read the full report for CVE-2026-33678 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)