Executive Summary

CVE-2026-33680 is a high-severity vulnerability in the Vikunja open-source task management platform affecting versions prior to 2.2.2. The issue lies in the LinkSharing feature, where the method `LinkSharing.ReadAll()` allows users authenticated via a link share to list all link shares for a project, including their secret hashes, without proper authorization checks.

While the `LinkSharing.CanRead()` method correctly blocks link share users from reading individual shares, the `ReadAllWeb` handler bypasses this check by directly calling `ReadAll()` without invoking `CanRead()`. This means a user with a read-only link share can retrieve hashes for write or admin link shares on the same project.

These hashes act as secret tokens for authentication. By obtaining hashes for higher-permission shares, an attacker can escalate their privileges from read-only to full admin access on the project.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with only a read-only link share to escalate their permissions to write or admin levels on the same project without needing any additional authentication.

• Unauthorized disclosure of secret link share hashes, which serve as bearer tokens.
• Full administrative access to the project, enabling actions such as deleting the project or modifying its contents.
• No user account credentials or extra authentication are required beyond possessing any link share URL.
• Potential compromise of password-protected shares’ hashes, although exploitation requires knowledge or brute-forcing of the password.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring API calls to the Vikunja project management platform, specifically calls to the endpoint that lists all link shares for a project (the ReadAllWeb handler). An attacker with a read-only link share can call this endpoint to retrieve all link share hashes, which should normally be restricted.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can look for unusual API requests authenticated via link share tokens that access the link shares listing endpoint.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network traffic inspection tools (e.g., tcpdump, Wireshark) or API request logging to identify requests to the ReadAllWeb endpoint authenticated with link share tokens.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint with a read-only link share token and observe if the response includes all link share hashes.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Authorization: Bearer <read-only-link-share-token>" https://<vikunja-server>/api/projects/<project-id>/linkshares'}, {'type': 'paragraph', 'content': 'If the response includes hashes of write or admin link shares, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.2 or later, where the vulnerability is patched.

The patch adds an authorization check at the start of the LinkSharing.ReadAll() method to deny access if the caller is authenticated via a link share, returning a 403 Forbidden error.

As a defense-in-depth measure, the patch also suggests excluding the secret Hash field from JSON serialization in list responses to prevent accidental exposure.

Until the upgrade is applied, restrict access to the vulnerable API endpoints and monitor for suspicious activity involving link share tokens.

Useful 0 Not Useful 0