Can you explain this vulnerability to me?

CVE-2026-33676 is an authorization bypass vulnerability in the Vikunja task management platform. The issue occurs because the API function responsible for returning related tasks (`addRelatedTasksToTasks()`) does not check whether the requesting user has permission to read the projects those related tasks belong to. As a result, an authenticated user who can read a task with cross-project relations can see full details of related tasks from projects they are not authorized to access.

This means sensitive task information such as title, description, due dates, priority, percent completion, and project IDs from unauthorized projects can be disclosed. The vulnerability arises from missing authorization checks on related tasks, unlike other parts of the API that correctly enforce project-level access control.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive task metadata across project boundaries. An attacker who is authenticated and has access to at least one project can exploit cross-project task relations to view detailed information about tasks in projects they should not have access to.

• Exposure of confidential task details such as titles, descriptions, due dates, priorities, and completion percentages.
• Leakage of private project existence and project IDs, potentially revealing organizational structure or sensitive project information.
• Undermining of project-level access controls in multi-tenant or team environments, leading to potential privacy and security breaches.
• No user interaction is required beyond having an authenticated account and the presence of cross-project task relations created by privileged users.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing whether an authenticated user can retrieve related tasks from projects they do not have read access to via the Vikunja API.

Specifically, you can attempt to access task details through the API endpoints that return tasks with related tasks included, such as:

• GET /api/v1/projects/{id}/views/{id}/tasks
• GET /api/v1/tasks/{id}

By making authenticated requests to these endpoints for tasks that have cross-project relations, you can check if the `related_tasks` field contains full details of tasks from projects the user should not have access to.

No specific commands are provided in the resources, but a practical approach is to use tools like curl or Postman to perform authenticated API requests to the above endpoints and inspect the `related_tasks` field in the JSON response for unauthorized data exposure.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch enforces proper authorization checks by filtering related tasks based on the requesting user's read permissions on the projects those tasks belong to."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting access to the vulnerable API endpoints or disabling cross-project task relations until the fix can be applied.'}] [1, 3]

Useful 0 Not Useful 0