Executive Summary

CVE-2026-33678 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management system affecting the TaskAttachment.ReadOne() method in versions up to 2.2.0.

The vulnerability occurs because the ReadOne() method fetches task attachments only by attachment ID, ignoring the task ID parameter from the URL path. Although the permission check validates access based on the task ID from the URL, it does not verify that the attachment actually belongs to that task.

This flaw allows any authenticated user to access or delete attachments belonging to other projects by supplying their own accessible task ID combined with a target attachment ID. Since attachment IDs are sequential integers, attackers can easily enumerate all attachments.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows any authenticated user to download any file attachment across all projects, violating confidentiality.

Additionally, users with write access to any task can delete any attachment, compromising data integrity.

The sequential nature of attachment IDs makes it trivial for attackers to enumerate and target attachments, increasing the risk of unauthorized data access and deletion.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access or delete attachments using a combination of your own accessible task ID and sequential attachment IDs that may belong to other projects. Since attachment IDs are sequential integers, enumeration is trivial.'}, {'type': 'paragraph', 'content': 'A practical detection method is to authenticate as a normal user and try to download or delete attachments by specifying your own task ID but varying the attachment ID parameter to see if attachments from other projects can be accessed.'}, {'type': 'paragraph', 'content': 'Specific commands depend on the API or interface used by Vikunja, but generally, you can use HTTP requests to the endpoint that fetches attachments, for example using curl:'}, {'type': 'list_item', 'content': 'curl -u username:password "https://vikunja.example.com/api/tasks/{your_task_id}/attachments/{target_attachment_id}"'}, {'type': 'list_item', 'content': 'Replace {your_task_id} with a task ID you have access to and iterate {target_attachment_id} over sequential integers to check if attachments from other projects are accessible.'}, {'type': 'paragraph', 'content': 'If you can successfully download or delete attachments that do not belong to your task, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability has been patched by modifying the ReadOne() method to validate that the attachment belongs to the specified task.

Until the upgrade can be performed, restrict access to the Vikunja instance to trusted users only, as the vulnerability requires authenticated access.

Additionally, monitor and audit attachment access and deletion logs for suspicious activity indicating unauthorized access attempts.

Useful 0 Not Useful 0