DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33679: CVE-2026-33679: Server-Side Request Forgery via OIDC Avatar Processing in Vikunja

#security #cve #cybersecurity

CVE-2026-33679: Server-Side Request Forgery via OIDC Avatar Processing in Vikunja

Vulnerability ID: CVE-2026-33679
CVSS Score: 6.4
Published: 2026-03-25

Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the OpenID Connect (OIDC) authentication module. The application fails to validate destination IP addresses when fetching user avatars from OIDC provider claims, allowing attackers to target internal network services.

TL;DR

Vikunja < 2.2.1 is vulnerable to SSRF via the OIDC picture claim. The application fails to validate the target IP when downloading user avatars, allowing authenticated attackers to scan internal networks or access cloud metadata services.

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network
  • CVSS Score: 6.4
  • EPSS Score: 0.00034
  • Impact: Internal Network Scanning / Metadata Access
  • Exploit Status: Unexploited in the wild
  • KEV Status: Not Listed

Affected Systems

  • Vikunja API Server
  • Vikunja: < 2.2.1 (Fixed in: 2.2.1)

Code Analysis

Commit: 363aa66

Fix SSRF in OIDC avatar download by using NewSSRFSafeHTTPClient

Mitigation Strategies

  • Upgrade Vikunja to version 2.2.1 or higher.
  • Implement strict egress filtering on the Vikunja host to block outbound traffic to RFC 1918 internal IP addresses and cloud metadata addresses.
  • Enforce IMDSv2 on AWS cloud instances to protect against generic SSRF-to-metadata attacks.
  • Restrict allowed OIDC authentication providers to trusted endpoints.

Remediation Steps:

  1. Verify the current version of Vikunja running in the environment.
  2. Pull the latest Vikunja Docker image (>= 2.2.1) or download the latest binary from the official release page.
  3. Restart the Vikunja service and verify the application functions correctly with OIDC logins.
  4. Configure network firewalls to deny the application server access to 169.254.169.254 and other internal subnets.

References

Read the full report for CVE-2026-33679 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)