CVE-2026-33680: Permission Escalation via Link Share Hash Disclosure in Vikunja
Vulnerability ID: CVE-2026-33680
CVSS Score: 7.5
Published: 2026-03-25
Vikunja versions prior to 2.2.2 suffer from an improper authorization vulnerability in the link-sharing mechanism. The ReadAll API endpoint fails to validate permissions correctly, allowing an attacker with a read-only link share to extract authentication hashes for administrative shares. This flaw enables unauthenticated or low-privilege actors to escalate their access to full administrative control over a target project.
TL;DR
Improper authorization in Vikunja's link-sharing API exposes admin hashes to read-only users, leading to full project takeover.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-285
- CVSS v3.1: 7.5 (High)
- Attack Vector: Network
- Impact: High (Confidentiality, Integrity, Availability via Admin Escalation)
- Exploit Status: Proof-of-Concept (PoC) available
- EPSS Score: 0.03% (Percentile: 8.51%)
Affected Systems
- Vikunja open-source task management platform
- Vikunja: < 2.2.2
Code Analysis
Commit: 9efe1fa
Block link share users from ReadAll
Commit: 5cd5dc4
Require admin access to list link shares
Commit: 74d1bdd
Frontend Mitigation: Modify UI to hide link sharing management
Mitigation Strategies
- Upgrade Vikunja to version 2.2.2 or later.
- Audit existing project link shares for unauthorized access or modification.
- Revoke and regenerate any previously exposed link share hashes.
Remediation Steps:
- Download the latest Vikunja release (2.2.2+).
- Backup the current database and configuration.
- Deploy the updated binary/container image.
- Restart the Vikunja service.
- Verify that low-privilege users can no longer access the /api/v1/projects//shares endpoint.
References
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
- https://vikunja.io/changelog/vikunja-v2.2.2-was-released
- https://nvd.nist.gov/vuln/detail/CVE-2026-33680
- https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3
- https://github.com/go-vikunja/vikunja/commit/5cd5dc409bfc807f79dac5e4ef4aec54b6efd6e2
Read the full report for CVE-2026-33680 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)