CVE-2026-33679
Received Received - Intake
SSRF Vulnerability in Vikunja Avatar Download Allows Internal Requests

Publication date: 2026-03-24

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33679
EUVD
EUVD-2026-14923
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33679 is a Server-Side Request Forgery (SSRF) vulnerability in the Vikunja open-source task management platform affecting versions prior to 2.2.1.'}, {'type': 'paragraph', 'content': 'The vulnerability exists in the `DownloadImage` function which downloads user avatar images from the OpenID Connect (OIDC) "picture" claim URL using a default HTTP client without any SSRF protections.'}, {'type': 'paragraph', 'content': 'An attacker who controls their OIDC profile picture URL can exploit this by setting it to an internal or cloud metadata endpoint, causing the Vikunja server to make unauthorized HTTP GET requests to internal services or cloud metadata endpoints.'}, {'type': 'paragraph', 'content': 'This bypasses SSRF protections that are otherwise applied in other parts of the application, such as the webhook system.'}, {'type': 'paragraph', 'content': 'The vulnerability allows attackers to access sensitive internal network information, cloud instance metadata (like IAM credentials), and potentially trigger internal service actions.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing an attacker to make the Vikunja server perform unauthorized HTTP requests to internal or cloud metadata endpoints.

  • Exposure of sensitive cloud instance metadata such as IAM credentials or identity tokens from AWS, GCP, Azure, etc.
  • Internal network reconnaissance by scanning or probing internal services through timing and error analysis.
  • Triggering internal GET endpoints that may perform administrative or sensitive actions.
  • Potential memory exhaustion on the server due to unrestricted response size when downloading large resources.

Repeated exploitation is possible since the SSRF triggers on every OIDC login, allowing iterative probing by updating the profile picture URL.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP GET requests made by the Vikunja server to URLs derived from the OpenID Connect (OIDC) profile picture claim. Specifically, look for requests to internal or cloud metadata endpoints such as AWS IMDS (e.g., http://169.254.169.254/latest/meta-data/) or other internal services triggered during user login.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by inspecting logs for unusual outbound HTTP requests from the Vikunja server to internal IP ranges or cloud metadata IPs.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the Vikunja server and filter for suspicious destinations.'}, {'type': 'list_item', 'content': 'Check Vikunja server logs for HTTP requests triggered during OIDC logins that access unexpected internal or cloud metadata URLs.'}, {'type': 'list_item', 'content': "Example tcpdump command to monitor HTTP requests to internal IPs: sudo tcpdump -i eth0 'tcp dst port 80 and (dst net 169.254.0.0/16 or dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16)'"}, {'type': 'list_item', 'content': 'Example curl command to test if the server can access internal metadata endpoints (run on the Vikunja server): curl -v http://169.254.169.254/latest/meta-data/'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability is patched.'}, {'type': 'paragraph', 'content': 'The patch replaces the default HTTP client used in the avatar image download function with a specialized HTTP client that enforces SSRF protections, including blocking requests to non-globally-routable IP addresses and limiting response sizes.'}, {'type': 'list_item', 'content': 'Upgrade Vikunja to version 2.2.1 or newer.'}, {'type': 'list_item', 'content': "If upgrading immediately is not possible, consider restricting the Vikunja server's outbound HTTP access to trusted external IPs only, blocking access to internal IP ranges and cloud metadata IP addresses at the network or firewall level."}, {'type': 'list_item', 'content': 'Monitor and audit OIDC profile picture URLs to detect and prevent malicious URLs.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart