CVE-2026-33677
Information Disclosure in Vikunja Webhooks Exposes BasicAuth Credentials
Publication date: 2026-03-24
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33677 is a moderate-severity information disclosure vulnerability in the Vikunja open-source task management platform. Before version 2.2.1, the API endpoint GET /api/v1/projects/:project/webhooks returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read-only access to the project.
While the HMAC secret field was properly masked, the BasicAuth fields introduced in a later migration were not masked, allowing read-only collaborators to steal these credentials. This happens because the API includes these fields in its response without clearing them, exposing sensitive authentication information.
How can this vulnerability impact me? :
This vulnerability allows any user with read-only access to a project to obtain webhook BasicAuth credentials intended for authenticating against external webhook receivers.
An attacker with read access can steal these credentials and potentially use them to gain unauthorized access to external services such as CI/CD systems, notification endpoints, or third-party APIs that rely on these webhooks for authentication.
This broadens the exposure surface to all project readers, including team members or users with link shares, increasing the risk of credential theft and misuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by querying the vulnerable API endpoint to see if webhook BasicAuth credentials are exposed in plaintext to users with read-only access.'}, {'type': 'paragraph', 'content': 'A practical approach is to use an HTTP client command to send a GET request to the endpoint `/api/v1/projects/:project/webhooks` as a user with read-only access and inspect the response for the presence of `basic_auth_user` and `basic_auth_password` fields in plaintext.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <read_only_user_token>" https://<vikunja-server>/api/v1/projects/<project_id>/webhooks'}, {'type': 'paragraph', 'content': 'If the response JSON contains `basic_auth_user` and `basic_auth_password` fields with actual credential values (not masked or empty), the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability has been patched by properly masking the BasicAuth credentials in the API responses.
Until the upgrade can be performed, restrict read-only access to projects that have webhooks configured with BasicAuth credentials to minimize exposure.
Additionally, consider rotating any exposed BasicAuth credentials used in webhooks to prevent unauthorized access.