Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33313 is an Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management platform affecting versions up to 2.1.0. It allows an authenticated user to read any task comment by its comment ID, even if they do not have access to the task the comment belongs to. This happens because the authorization check only verifies if the user has access to the task ID provided in the API URL, but the comment is fetched solely by its comment ID without confirming it belongs to that task. As a result, an attacker with access to at least one task can substitute the task ID in the URL and retrieve comments from other users' private tasks, leading to unauthorized data disclosure."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized disclosure of sensitive information contained in task comments. An attacker who is authenticated and has access to at least one task can exploit this flaw to read comments from other users' private tasks without permission. This could expose confidential details, private communications, or sensitive project information, potentially compromising privacy and security within the organization using Vikunja."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access task comments via the API endpoint GET /api/v1/tasks/{taskID}/comments/{commentID} using an authenticated user account. If it is possible to retrieve comments by substituting the taskID with one that the user has access to but the commentID belongs to a different task, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method involves making API requests to fetch comments with mismatched taskID and commentID pairs and observing if comments from unauthorized tasks are returned.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<vikunja-server>/api/v1/tasks/<accessible_taskID>/comments/<commentID_of_other_task>'}, {'type': 'paragraph', 'content': 'If the response returns comment data despite the comment not belonging to the accessible task, the vulnerability exists.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.0 or later, where this vulnerability has been fixed.

The fix involves ensuring that the API verifies that the comment being accessed actually belongs to the task specified in the request, preventing unauthorized access.

If upgrading immediately is not possible, restrict access to the API endpoints to trusted users only and monitor for suspicious API requests that attempt to access comments across tasks.

Useful 0 Not Useful 0