Executive Summary

CVE-2026-33700 is an Insecure Direct Object Reference (IDOR) vulnerability in the Vikunja task management software affecting the DELETE /api/v1/projects/:project/shares/:share endpoint in versions prior to 2.2.1.

The vulnerability occurs because the endpoint does not verify that the link share being deleted actually belongs to the project specified in the URL.

An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID.

This happens because the delete operation only checks the share ID without confirming project ownership, allowing unauthorized deletion of link shares.

Useful 0 Not Useful 0

Impact Analysis

An attacker with admin rights on any project can delete link shares from other projects, disrupting collaboration by removing shared access links.

This unauthorized deletion can cause loss of access to shared resources and potentially interrupt workflows dependent on those shares.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring DELETE requests to the endpoint /api/v1/projects/:project/shares/:share and verifying whether the share ID being deleted actually belongs to the specified project.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves an attacker with admin access to one project deleting link shares from other projects by manipulating the project ID and share ID in the DELETE request, detection can involve checking for DELETE requests where the share ID does not belong to the project ID in the URL.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity might include:'}, {'type': 'list_item', 'content': 'Using network traffic monitoring tools (e.g., tcpdump or Wireshark) to capture DELETE requests to the vulnerable endpoint.'}, {'type': 'list_item', 'content': 'Querying application logs for DELETE requests to /api/v1/projects/*/shares/* and checking if the share IDs correspond to the project IDs.'}, {'type': 'list_item', 'content': 'Example command to search logs for DELETE requests (assuming logs contain HTTP method and URL):'}, {'type': 'list_item', 'content': "grep 'DELETE /api/v1/projects/' /path/to/vikunja/logs/access.log"}, {'type': 'list_item', 'content': 'Further analysis would require correlating project IDs and share IDs from the database to identify mismatches.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, restrict admin access to projects only to trusted users to reduce the risk of exploitation.

Additionally, monitor and audit DELETE requests to the /api/v1/projects/:project/shares/:share endpoint for suspicious activity.

The underlying fix involves modifying the Delete method to verify that the share being deleted belongs to the specified project by changing the database query to include a project ownership check.

Useful 0 Not Useful 0