top of page
perceptive_background_267k.jpg

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?…

Published:

23 maart 2026 om 23:00:00

Alert date:

24 maart 2026 om 17:03:37

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

Vikunja open-source task management platform contains an authorization bypass vulnerability in versions prior to 2.2.1. The TaskAttachment.ReadOne() function queries attachments by ID only, ignoring task ID validation from URL paths. This allows authenticated users to access attachments from other projects by manipulating task and attachment IDs. The vulnerability enables unauthorized download or deletion of any attachment in the system. Sequential integer attachment IDs make enumeration trivial for attackers. Version 2.2.1 patches this authorization flaw.

Technical details

Mitigation steps:

Affected products:

Vikunja

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-33678
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
https://vikunja.io/changelog/vikunja-v2.2.2-was-released

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page