DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2PV8-4C52-MF8J: GHSA-2PV8-4C52-MF8J: Instance-Wide Data Breach via Auth Bypass and IDOR Chain in Vikunja

#security #cve #cybersecurity #ghsa

GHSA-2PV8-4C52-MF8J: Instance-Wide Data Breach via Auth Bypass and IDOR Chain in Vikunja

Vulnerability ID: GHSA-2PV8-4C52-MF8J
CVSS Score: 8.1
Published: 2026-03-26

A critical vulnerability chain in the Vikunja task management platform allows unauthenticated or minimally authenticated attackers to perform an instance-wide data breach. By combining a link-share hash disclosure (CVE-2026-33680) with a task attachment IDOR (CVE-2026-33678), attackers can read or delete any file attachment on the system.

TL;DR

Chaining an authorization bypass in the link-sharing API and an IDOR in the attachment handler allows an attacker with a read-only link to extract administrative tokens and access arbitrary files across the entire Vikunja instance.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285, CWE-639
  • Attack Vector: Network
  • CVSS Score: 8.1
  • Impact: High Confidentiality, High Integrity
  • Exploit Status: weaponized
  • KEV Status: Not Listed

Affected Systems

  • Vikunja API < 2.2.2
  • Vikunja Frontend < 2.2.2
  • Vikunja: < 2.2.1 (Fixed in: 2.2.1)
  • Vikunja: < 2.2.2 (Fixed in: 2.2.2)

Code Analysis

Commit: 9efe1fa

Blocked link share users from listing shares in ReadAll.

Commit: 5cd5dc4

Required admin access to list link shares.

Commit: 74d1bdd

Client-side UI visibility controls for the sharing section.

Mitigation Strategies

  • Upgrade Vikunja to version 2.2.2 or later.
  • Disable link sharing functionality if immediate patching is not feasible.
  • Deploy Web Application Firewall (WAF) rules to inspect and block anomalous sequential integer requests to the attachments endpoint.

Remediation Steps:

  1. Verify the current running version of the Vikunja instance.
  2. Pull the latest Docker image or binary for version 2.2.2.
  3. Restart the Vikunja service to apply the updated application code.
  4. Audit application logs for sequential GET or DELETE requests to the /api/v1/tasks/*/attachments/* endpoints.

References

Read the full report for GHSA-2PV8-4C52-MF8J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)