CVE-2026-56765
Received Received - Intake

Authorization Bypass in Vikunja Exposes Sensitive Data

Vulnerability report for CVE-2026-56765, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56765 is a critical authorization flaw in Vikunja versions before 2.2.1 that allows unauthorized access and manipulation of data across an entire instance.

The vulnerability involves two main issues: first, the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, which enables attackers to escalate their permissions to admin-level shares.

Second, the GetTaskAttachment endpoint performs permission checks based on user-supplied task IDs but fetches attachments by sequential ID without verifying ownership. This allows attackers to download and delete all file attachments across all projects instance-wide.

Compliance Impact

CVE-2026-56765 allows unauthorized access to sensitive data and the ability to delete files across an entire Vikunja instance, resulting in an instance-wide data breach.

Such unauthorized data exposure and modification can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

The vulnerability's high severity and the ability for unauthenticated attackers to escalate privileges and access confidential files indicate a significant risk to compliance with these standards.

Impact Analysis

This vulnerability can lead to a severe instance-wide data breach, allowing unauthenticated attackers to access, download, and delete sensitive file attachments from any project within the Vikunja instance.

Attackers can escalate their permissions from read access to admin-level shares, compromising confidentiality and integrity of data.

The impact includes unauthorized disclosure of sensitive information and potential loss or destruction of important files, severely affecting the availability and trustworthiness of the system.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized access attempts to the LinkSharing.ReadAll endpoint and the GetTaskAttachment endpoint in Vikunja instances before version 2.2.1.

Specifically, detection can focus on requests that attempt to enumerate share hashes or access task attachments by sequential IDs without proper authorization.

Commands or methods to detect exploitation attempts may include:

  • Using web server logs or network monitoring tools to identify unusual GET or POST requests to endpoints like /api/v1/LinkSharing.ReadAll or /api/v1/GetTaskAttachment.
  • Searching logs for repeated access attempts with sequential task attachment IDs that do not correspond to the requesting user's permissions.
  • Example command to search logs for suspicious access to LinkSharing.ReadAll endpoint: `grep 'LinkSharing.ReadAll' /var/log/nginx/access.log`
  • Example command to detect sequential access to task attachments: `grep 'GetTaskAttachment' /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c` to identify repeated or sequential attachment ID requests.
Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability has been fixed.

This update removes the exposure of share hashes in the LinkSharing.ReadAll endpoint and enforces proper ownership verification in the GetTaskAttachment endpoint.

Until the upgrade can be applied, consider restricting access to the vulnerable endpoints by limiting network exposure, such as firewall rules or access controls, to trusted users only.

Additionally, monitor logs for suspicious activity as described in detection steps and revoke any suspicious or publicly shared links that could be exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56765. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart