← Back to CVEs

CVE-2026-33676

MEDIUM

6.5

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

CVE Details

CVSS v3.1 Score6.5

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredLOW

User InteractionNONE

Published3/24/2026

Last Modified3/27/2026

Sourcenvd

Honeypot Sightings0

Affected Products

vikunja:vikunja

Weaknesses (CWE)

CWE-863

References

https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/pull/2449(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v(security-advisories@github.com)

https://vikunja.io/changelog/vikunja-v2.2.2-was-released(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.