Executive Summary

CVE-2026-33675 is a Server-Side Request Forgery (SSRF) vulnerability in the Vikunja task management platform, specifically in the migration helper functions used for Todoist and Trello migrations.

The vulnerable functions, DownloadFile and DownloadFileWithHeaders, make arbitrary HTTP GET requests without any SSRF protections such as URL validation or blocking of internal IP addresses.

When a user triggers a migration, file attachment URLs from third-party APIs are passed unchecked to these functions, allowing an attacker to craft malicious URLs that cause the Vikunja server to fetch internal network resources.

The attacker can then retrieve the response as a downloadable task attachment, effectively exfiltrating sensitive internal data.

This issue was fixed in version 2.2.1 by replacing the standard HTTP client with a custom SSRF-safe HTTP client that restricts unsafe requests and limits response sizes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated attackers to read sensitive internal resources that the Vikunja server can access.

• Exfiltration of cloud instance metadata such as IAM credentials and instance identity.
• Access to internal network services and APIs that are normally protected from external access.
• Potential denial of service due to unbounded memory allocation when downloading large or streaming responses, as there was no response size limit.

The vulnerability requires the target Vikunja instance to have Todoist or Trello migration enabled with OAuth credentials configured, which is common in standard deployments.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual HTTP GET requests initiated by the Vikunja server during Todoist or Trello migrations, especially requests to internal or non-routable IP addresses that should not normally be accessed.'}, {'type': 'paragraph', 'content': 'You can check Vikunja server logs for HTTP requests made during migration processes to suspicious URLs, particularly those pointing to internal network resources such as 169.254.169.254 (cloud metadata service) or RFC1918 IP ranges.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network monitoring tools or packet capture utilities to detect outgoing HTTP requests from the Vikunja server to internal IP addresses.'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP traffic from the Vikunja server: tcpdump -i <interface> 'tcp port 80 or 443' and filter for internal IP ranges."}, {'type': 'list_item', 'content': 'Check Vikunja application logs for migration-related HTTP requests or attachments referencing internal URLs.'}, {'type': 'list_item', 'content': 'Use curl or wget commands to test if the server can access internal resources, e.g., curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ from the Vikunja host.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability is patched by integrating an SSRF-safe HTTP client that restricts unsafe outgoing requests during migration.

If upgrading immediately is not possible, consider disabling the Todoist and Trello migration features to prevent triggering the vulnerable code paths.

Additionally, restrict network access from the Vikunja server to internal resources by firewall rules or network segmentation to block unauthorized HTTP requests to internal IP ranges.

Monitor and audit migration activities and attachments for suspicious URLs or unexpected internal resource access.

Useful 0 Not Useful 0