Executive Summary

CVE-2026-33474 is a Denial of Service (DoS) vulnerability in the Vikunja task management platform affecting versions from 1.0.0-rc0 up to but not including 2.2.0.

The vulnerability occurs during the preview generation of task attachment images, where the system decodes and resizes images without enforcing limits on image dimensions or total pixel count.

An attacker can exploit this by uploading highly compressed images with extremely large dimensions, causing the server to consume excessive CPU and memory resources during the decoding and resizing process.

This resource exhaustion can degrade service performance or cause crashes, leading to denial of service.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by allowing an attacker with authenticated write access to tasks to exhaust your server's CPU and memory resources."}, {'type': 'paragraph', 'content': 'The initial preview generation of large-dimension images consumes significant resources, which can degrade the performance of the Vikunja service or cause it to crash.'}, {'type': 'paragraph', 'content': 'If multiple large images are uploaded or multiple preview requests are made concurrently, the server may become unresponsive, resulting in denial of service for legitimate users.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the resource usage of the Vikunja API server, especially during preview generation of task attachments. High CPU and memory consumption triggered by image preview requests may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'A proof of concept uses a bash script combined with Python (using Pillow) to generate a large 10,000×10,000 PNG image and upload it as a task attachment, then requests an "xl" size preview to observe resource exhaustion.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can monitor the process resource usage with commands like:'}, {'type': 'list_item', 'content': 'Use `/usr/bin/time -l` to measure time and memory usage of preview generation requests.'}, {'type': 'list_item', 'content': 'Monitor CPU and memory usage of the Vikunja API process with `top`, `htop`, or `ps aux --sort=-%mem`.'}, {'type': 'list_item', 'content': 'Check logs or metrics for unusually high latency or resource consumption during image preview generation.'}, {'type': 'paragraph', 'content': 'Additionally, you can attempt to reproduce the issue by uploading large-dimension images (e.g., 10,000×10,000 PNG) and observing the system behavior.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Upgrade Vikunja to version 2.2.0 or later, where the vulnerability is patched.
• Enforce strict bounds on image dimensions and total pixels before decoding images for preview generation, for example rejecting images exceeding 8000×8000 pixels or 20 million total pixels.
• Implement early failure by reading image headers to extract dimensions without fully decoding the image.
• Apply per-user and per-attachment rate limiting on preview generation requests to prevent resource exhaustion.
• Consider pre-generating previews asynchronously with throttling and backpressure mechanisms.
• Maintain caching of previews but configure cache eviction policies to avoid repeated heavy processing.

Useful 0 Not Useful 0