CVE-2026-33700
Insecure Access Control in Vikunja Project Share Deletion
Publication date: 2026-03-24
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33700 is an Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management software affecting the DELETE /api/v1/projects/:project/shares/:share endpoint in versions prior to 2.2.1.
The vulnerability occurs because the endpoint does not verify that the link share being deleted actually belongs to the project specified in the URL.
An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID.
This happens because the delete operation only checks the share ID without confirming project ownership, allowing unauthorized deletion of link shares.
How can this vulnerability impact me? :
An attacker with admin rights on any project can delete link shares from other projects, disrupting collaboration by removing shared access links.
This unauthorized deletion can cause loss of access to shared resources and potentially interrupt workflows dependent on those shares.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring DELETE requests to the endpoint /api/v1/projects/:project/shares/:share and verifying whether the share ID being deleted actually belongs to the specified project.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves an attacker with admin access to one project deleting link shares from other projects by manipulating the project ID and share ID in the DELETE request, detection can involve checking for DELETE requests where the share ID does not belong to the project ID in the URL.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity might include:'}, {'type': 'list_item', 'content': 'Using network traffic monitoring tools (e.g., tcpdump or Wireshark) to capture DELETE requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': 'Querying application logs for DELETE requests to /api/v1/projects/*/shares/* and checking if the share IDs correspond to the project IDs.'}, {'type': 'list_item', 'content': 'Example command to search logs for DELETE requests (assuming logs contain HTTP method and URL):'}, {'type': 'list_item', 'content': "grep 'DELETE /api/v1/projects/' /path/to/vikunja/logs/access.log"}, {'type': 'list_item', 'content': 'Further analysis would require correlating project IDs and share IDs from the database to identify mismatches.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, restrict admin access to projects only to trusted users to reduce the risk of exploitation.
Additionally, monitor and audit DELETE requests to the /api/v1/projects/:project/shares/:share endpoint for suspicious activity.
The underlying fix involves modifying the Delete method to verify that the share being deleted belongs to the specified project by changing the database query to include a project ownership check.