Executive Summary

CVE-2026-33677 is a moderate-severity information disclosure vulnerability in the Vikunja open-source task management platform. Before version 2.2.1, the API endpoint GET /api/v1/projects/:project/webhooks returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read-only access to the project.

While the HMAC secret field was properly masked, the BasicAuth fields introduced in a later migration were not masked, allowing read-only collaborators to steal these credentials. This happens because the API includes these fields in its response without clearing them, exposing sensitive authentication information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any user with read-only access to a project to obtain webhook BasicAuth credentials intended for authenticating against external webhook receivers.

An attacker with read access can steal these credentials and potentially use them to gain unauthorized access to external services such as CI/CD systems, notification endpoints, or third-party APIs that rely on these webhooks for authentication.

This broadens the exposure surface to all project readers, including team members or users with link shares, increasing the risk of credential theft and misuse.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by querying the vulnerable API endpoint to see if webhook BasicAuth credentials are exposed in plaintext to users with read-only access.'}, {'type': 'paragraph', 'content': 'A practical approach is to use an HTTP client command to send a GET request to the endpoint `/api/v1/projects/:project/webhooks` as a user with read-only access and inspect the response for the presence of `basic_auth_user` and `basic_auth_password` fields in plaintext.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <read_only_user_token>" https://<vikunja-server>/api/v1/projects/<project_id>/webhooks'}, {'type': 'paragraph', 'content': 'If the response JSON contains `basic_auth_user` and `basic_auth_password` fields with actual credential values (not masked or empty), the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability has been patched by properly masking the BasicAuth credentials in the API responses.

Until the upgrade can be performed, restrict read-only access to projects that have webhooks configured with BasicAuth credentials to minimize exposure.

Additionally, consider rotating any exposed BasicAuth credentials used in webhooks to prevent unauthorized access.

Useful 0 Not Useful 0