CVE-2026-33676
Received Received - Intake
Information Disclosure in Vikunja API via Inadequate Permission Checks

Publication date: 2026-03-24

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33676
EUVD
EUVD-2026-14917
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33676 is an authorization bypass vulnerability in the Vikunja task management platform. The issue occurs because the API function responsible for returning related tasks (`addRelatedTasksToTasks()`) does not check whether the requesting user has permission to read the projects those related tasks belong to. As a result, an authenticated user who can read a task with cross-project relations can see full details of related tasks from projects they are not authorized to access.

This means sensitive task information such as title, description, due dates, priority, percent completion, and project IDs from unauthorized projects can be disclosed. The vulnerability arises from missing authorization checks on related tasks, unlike other parts of the API that correctly enforce project-level access control.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive task metadata across project boundaries. An attacker who is authenticated and has access to at least one project can exploit cross-project task relations to view detailed information about tasks in projects they should not have access to.

  • Exposure of confidential task details such as titles, descriptions, due dates, priorities, and completion percentages.
  • Leakage of private project existence and project IDs, potentially revealing organizational structure or sensitive project information.
  • Undermining of project-level access controls in multi-tenant or team environments, leading to potential privacy and security breaches.
  • No user interaction is required beyond having an authenticated account and the presence of cross-project task relations created by privileged users.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by testing whether an authenticated user can retrieve related tasks from projects they do not have read access to via the Vikunja API.

Specifically, you can attempt to access task details through the API endpoints that return tasks with related tasks included, such as:

  • GET /api/v1/projects/{id}/views/{id}/tasks
  • GET /api/v1/tasks/{id}

By making authenticated requests to these endpoints for tasks that have cross-project relations, you can check if the `related_tasks` field contains full details of tasks from projects the user should not have access to.

No specific commands are provided in the resources, but a practical approach is to use tools like curl or Postman to perform authenticated API requests to the above endpoints and inspect the `related_tasks` field in the JSON response for unauthorized data exposure.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch enforces proper authorization checks by filtering related tasks based on the requesting user's read permissions on the projects those tasks belong to."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoints or disabling cross-project task relations until the fix can be applied.'}] [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart