CVE-2026-33675 Overview
CVE-2026-33675 is a Server-Side Request Forgery (SSRF) vulnerability affecting Vikunja, an open-source self-hosted task management platform. The vulnerability exists in the migration helper functions DownloadFile and DownloadFileWithHeaders located in pkg/modules/migration/helpers.go. These functions make arbitrary HTTP GET requests without any SSRF protection, allowing attackers to exploit the Todoist or Trello migration features to force the Vikunja server to fetch internal network resources.
Critical Impact
Authenticated attackers can leverage the migration functionality to access internal network resources, potentially exposing sensitive data from systems that should not be accessible from the internet.
Affected Products
- Vikunja versions prior to 2.2.1
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33675 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33675
Vulnerability Analysis
This SSRF vulnerability (CWE-918) occurs due to insufficient validation of URLs passed to the migration helper functions. When a user triggers a migration from Todoist or Trello, the file attachment URLs from the third-party API response are passed directly to the DownloadFile and DownloadFileWithHeaders functions without any verification. An attacker who can control or manipulate these URLs can redirect the Vikunja server to make requests to arbitrary internal or external endpoints.
The lack of URL validation allows the server to be weaponized as a proxy for accessing internal network resources. The response from these internal requests is then returned to the attacker as a downloadable task attachment, creating a data exfiltration pathway through the application's legitimate functionality.
Root Cause
The root cause lies in the absence of SSRF protection mechanisms in the DownloadFile and DownloadFileWithHeaders functions within pkg/modules/migration/helpers.go. These functions accept URLs without validating whether they point to internal network addresses, cloud metadata endpoints, or other restricted resources. The functions blindly follow redirects and fetch content from any provided URL, making them susceptible to SSRF attacks.
Attack Vector
The attack requires an authenticated user to initiate a Todoist or Trello migration. An attacker can craft or manipulate the migration data to include malicious URLs pointing to internal resources such as cloud metadata services (e.g., http://169.254.169.254/), internal APIs, or other services on the private network. When the migration process attempts to download file attachments, the Vikunja server makes HTTP GET requests to these internal endpoints and returns the response content as attachment data, effectively leaking internal information to the attacker.
The vulnerability mechanism involves the server acting as a confused deputy, using its network position and privileges to access resources on behalf of the attacker. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33675
Indicators of Compromise
- Unusual outbound HTTP requests from the Vikunja server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- HTTP requests to cloud metadata endpoints such as 169.254.169.254 originating from the Vikunja application
- Migration requests with attachment URLs pointing to non-standard or internal addresses
- Unexpected data in task attachments that resembles internal system configurations or metadata
Detection Strategies
- Monitor application logs for migration activity combined with unusual URL patterns in attachment downloads
- Implement network monitoring to detect egress traffic from the Vikunja server to internal network segments
- Review web application firewall (WAF) logs for requests containing internal IP addresses in URL parameters
- Set up alerts for any requests to known cloud metadata service IP ranges from application servers
Monitoring Recommendations
- Enable detailed logging for the migration module to capture all URLs processed during Todoist and Trello imports
- Deploy network segmentation monitoring to detect lateral movement attempts via SSRF
- Implement DNS query logging to identify resolution of internal hostnames by the Vikunja server
- Configure SentinelOne Singularity to monitor for anomalous network behavior from web application containers
How to Mitigate CVE-2026-33675
Immediate Actions Required
- Upgrade Vikunja to version 2.2.1 or later immediately
- Review recent migration activity logs for any suspicious URL patterns
- Audit task attachments created through recent migrations for potential data leakage
- Consider temporarily disabling the Todoist and Trello migration features until the patch is applied
Patch Information
The vulnerability has been patched in Vikunja version 2.2.1. The fix adds proper SSRF protection to the DownloadFile and DownloadFileWithHeaders functions, preventing requests to internal network addresses and restricted IP ranges. The patch can be reviewed in the GitHub commit. Additional release information is available in the Vikunja Changelog.
Workarounds
- Implement network-level controls to restrict outbound connections from the Vikunja server to only necessary external services
- Deploy a web application firewall (WAF) rule to block migration requests containing internal IP addresses or localhost references
- Use network segmentation to isolate the Vikunja server from sensitive internal resources
- Configure egress firewall rules to prevent the application server from accessing cloud metadata endpoints and internal network ranges
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
