CVE-2026-33313
Insecure Direct Object Reference in Vikunja Task Comments
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33313 is an Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management platform affecting versions up to 2.1.0. It allows an authenticated user to read any task comment by its comment ID, even if they do not have access to the task the comment belongs to. This happens because the authorization check only verifies if the user has access to the task ID provided in the API URL, but the comment is fetched solely by its comment ID without confirming it belongs to that task. As a result, an attacker with access to at least one task can substitute the task ID in the URL and retrieve comments from other users' private tasks, leading to unauthorized data disclosure."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized disclosure of sensitive information contained in task comments. An attacker who is authenticated and has access to at least one task can exploit this flaw to read comments from other users' private tasks without permission. This could expose confidential details, private communications, or sensitive project information, potentially compromising privacy and security within the organization using Vikunja."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access task comments via the API endpoint GET /api/v1/tasks/{taskID}/comments/{commentID} using an authenticated user account. If it is possible to retrieve comments by substituting the taskID with one that the user has access to but the commentID belongs to a different task, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical detection method involves making API requests to fetch comments with mismatched taskID and commentID pairs and observing if comments from unauthorized tasks are returned.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <token>" https://<vikunja-server>/api/v1/tasks/<accessible_taskID>/comments/<commentID_of_other_task>'}, {'type': 'paragraph', 'content': 'If the response returns comment data despite the comment not belonging to the accessible task, the vulnerability exists.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.2.0 or later, where this vulnerability has been fixed.
The fix involves ensuring that the API verifies that the comment being accessed actually belongs to the task specified in the request, preventing unauthorized access.
If upgrading immediately is not possible, restrict access to the API endpoints to trusted users only and monitor for suspicious API requests that attempt to access comments across tasks.