CVE-2026-33700: CVE-2026-33700: Insecure Direct Object Reference (IDOR) in Vikunja Link Share Deletion

CVE-2026-33700: Insecure Direct Object Reference (IDOR) in Vikunja Link Share Deletion

Vulnerability ID: CVE-2026-33700
CVSS Score: 6.9
Published: 2026-03-25

CVE-2026-33700 is an Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management platform, specifically affecting the link share deletion API endpoint. This flaw allows an authenticated user with administrative privileges in one project to arbitrarily delete link shares belonging to any other project on the instance.

TL;DR

Authenticated users with project admin rights can delete link shares of any project in Vikunja < 2.2.1 due to missing cross-ownership validation in the database query.

---

Technical Details

• CWE ID: CWE-639
• Attack Vector: Network
• CVSS Score: 6.9
• EPSS Score: 0.00036
• Impact: High Integrity, High Availability (Link Shares)
• Exploit Status: None
• KEV Status: Not Listed

Affected Systems

• Vikunja API Endpoint: /api/v1/projects/:project/shares/:share
• Vikunja: < 2.2.1 (Fixed in: 2.2.1)

Mitigation Strategies

• Upgrade Vikunja software to version 2.2.1 or higher.
• Audit and enforce the principle of least privilege for project administrative access.
• Implement WAF rules to monitor anomalous DELETE requests on the shares API.

Remediation Steps:

1. Download the latest Vikunja release binary or Docker image (>= 2.2.1).
2. Schedule a brief maintenance window to minimize workflow disruption.
3. Apply the update following the official Vikunja upgrade documentation.
4. Verify the update by attempting to delete a cross-project share using a test account with limited admin privileges.

References

• GHSA-f95f-77jx-fcjc
• Vikunja Release Changelog
• CVE-2026-33700
• CVE.org Record

---

Read the full report for CVE-2026-33700 on our website for more details including interactive diagrams and full exploit analysis.