CVE-2026-33474 Overview
CVE-2026-33474 is a Resource Exhaustion vulnerability affecting Vikunja, an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation allows an attacker to exhaust CPU and memory resources by uploading highly compressed but extremely large-dimension images. This vulnerability enables authenticated attackers to cause a denial of service condition against the Vikunja server.
Critical Impact
Authenticated attackers can exhaust server CPU and memory resources by uploading specially crafted images, leading to denial of service and potential system instability.
Affected Products
- Vikunja versions 1.0.0-rc0 through 2.1.x
- Vikunja self-hosted installations with image preview generation enabled
- Docker and standalone deployments running vulnerable versions
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33474 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33474
Vulnerability Analysis
This vulnerability falls under CWE-400 (Uncontrolled Resource Consumption). The issue exists in Vikunja's image preview generation functionality, which processes uploaded images without implementing proper bounds checking on image dimensions. When a user uploads an image attachment, Vikunja automatically generates preview thumbnails. However, the image decoding and resizing operations do not validate or limit the dimensions of the input image before processing.
An attacker can craft a highly compressed image file (such as a PNG bomb or decompression bomb) that has a small file size but decompresses to extremely large dimensions. When Vikunja attempts to decode and resize such an image, the server allocates massive amounts of memory to handle the uncompressed image data, and CPU cycles are consumed processing the resize operation.
Root Cause
The root cause of this vulnerability is the absence of dimension validation and resource limits in the image processing pipeline. The preview generation code trusts the compressed image data without first checking the declared or actual image dimensions against reasonable upper bounds. This allows attackers to bypass file size restrictions that may be in place, since the attack relies on compression ratio exploitation rather than large file uploads.
Attack Vector
This vulnerability is exploitable over the network by any authenticated user with permissions to upload attachments. The attacker uploads a specially crafted image file designed to consume excessive resources when decompressed. The attack requires low privileges (authenticated user account) and no user interaction from administrators or other users.
The exploitation process involves:
- Creating a decompression bomb image with small file size but massive decoded dimensions
- Uploading the malicious image as an attachment to a task or project
- The server automatically processes the image for preview generation
- Resource exhaustion occurs as the server attempts to decode and resize the image
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33474
Indicators of Compromise
- Abnormally high memory consumption during image upload operations
- Sustained CPU spikes correlated with attachment uploads
- Server out-of-memory (OOM) events in system logs
- Repeated image processing timeouts or failures
Detection Strategies
- Monitor system resource utilization for sudden spikes during file upload operations
- Implement application-level logging for image processing events including dimensions and processing time
- Review uploaded attachments for suspicious image files with unusually small file sizes
- Set up alerting for OOM killer events targeting Vikunja processes
Monitoring Recommendations
- Configure resource monitoring dashboards to track Vikunja service memory and CPU consumption
- Enable detailed logging of image processing operations including input image dimensions
- Implement rate limiting alerts for rapid successive upload attempts from single users
- Monitor container or process health for unexpected restarts or crashes
How to Mitigate CVE-2026-33474
Immediate Actions Required
- Upgrade Vikunja to version 2.2.0 or later immediately
- Review recent upload activity logs for potential exploitation attempts
- Consider temporarily disabling image preview generation if immediate patching is not possible
- Implement resource limits (memory and CPU) for the Vikunja service at the container or system level
Patch Information
The vulnerability has been patched in Vikunja version 2.2.0. The fix implements proper bounds checking on image dimensions before processing, preventing resource exhaustion attacks via oversized images. Users should upgrade to version 2.2.0 or later to remediate this vulnerability. For detailed release information, see the Vikunja Release Notes v2.2.0.
Workarounds
- Deploy container resource limits to constrain memory and CPU available to Vikunja
- Implement reverse proxy rules to reject uploads exceeding reasonable image dimension thresholds
- Use cgroups or similar OS-level resource controls to limit the Vikunja process
- Temporarily disable or restrict attachment upload functionality until patching is complete
# Docker resource limits example
docker run -d \
--name vikunja \
--memory="1g" \
--memory-swap="1g" \
--cpus="2" \
vikunja/vikunja:2.2.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
