CVE-2026-33678
Insecure Direct Object Reference in Vikunja Attachments Allows Unauthorized Access
Publication date: 2026-03-24
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33678 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management system affecting the TaskAttachment.ReadOne() method in versions up to 2.2.0.
The vulnerability occurs because the ReadOne() method fetches task attachments only by attachment ID, ignoring the task ID parameter from the URL path. Although the permission check validates access based on the task ID from the URL, it does not verify that the attachment actually belongs to that task.
This flaw allows any authenticated user to access or delete attachments belonging to other projects by supplying their own accessible task ID combined with a target attachment ID. Since attachment IDs are sequential integers, attackers can easily enumerate all attachments.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to download any file attachment across all projects, violating confidentiality.
Additionally, users with write access to any task can delete any attachment, compromising data integrity.
The sequential nature of attachment IDs makes it trivial for attackers to enumerate and target attachments, increasing the risk of unauthorized data access and deletion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access or delete attachments using a combination of your own accessible task ID and sequential attachment IDs that may belong to other projects. Since attachment IDs are sequential integers, enumeration is trivial.'}, {'type': 'paragraph', 'content': 'A practical detection method is to authenticate as a normal user and try to download or delete attachments by specifying your own task ID but varying the attachment ID parameter to see if attachments from other projects can be accessed.'}, {'type': 'paragraph', 'content': 'Specific commands depend on the API or interface used by Vikunja, but generally, you can use HTTP requests to the endpoint that fetches attachments, for example using curl:'}, {'type': 'list_item', 'content': 'curl -u username:password "https://vikunja.example.com/api/tasks/{your_task_id}/attachments/{target_attachment_id}"'}, {'type': 'list_item', 'content': 'Replace {your_task_id} with a task ID you have access to and iterate {target_attachment_id} over sequential integers to check if attachments from other projects are accessible.'}, {'type': 'paragraph', 'content': 'If you can successfully download or delete attachments that do not belong to your task, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability has been patched by modifying the ReadOne() method to validate that the attachment belongs to the specified task.
Until the upgrade can be performed, restrict access to the Vikunja instance to trusted users only, as the vulnerability requires authenticated access.
Additionally, monitor and audit attachment access and deletion logs for suspicious activity indicating unauthorized access attempts.