← Retour aux CVEs

CVE-2026-33676

MEDIUM

6.5

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

Details CVE

Score CVSS v3.16.5

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie3/24/2026

Derniere modification3/27/2026

Sourcenvd

Observations honeypot0

Produits affectes

vikunja:vikunja

Faiblesses (CWE)

CWE-863

References

https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/pull/2449(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v(security-advisories@github.com)

https://vikunja.io/changelog/vikunja-v2.2.2-was-released(security-advisories@github.com)

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.