CVE-2026-33676 Overview
CVE-2026-33676 is an authorization bypass vulnerability in Vikunja, an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the related_tasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. This improper authorization check allows authenticated users to access sensitive task information from projects they should not have access to.
Critical Impact
An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to, potentially exposing confidential business information and project data.
Affected Products
- Vikunja versions prior to 2.2.1
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33676 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33676
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), representing a broken access control flaw in the Vikunja task management API. The core issue lies in how the API handles related task relationships across different projects. When a user requests task data, the API fetches and returns related tasks without validating whether the requesting user has appropriate read permissions on the projects containing those related tasks.
The vulnerability is particularly impactful in multi-project environments where different users or teams maintain separate projects with varying access controls. Cross-project task relations can inadvertently create information disclosure pathways that bypass the intended permission model.
Root Cause
The root cause is the absence of permission validation when fetching related task objects. The original implementation would retrieve all projects for a user and filter buckets based on project IDs, but it failed to apply the same access control checks when populating the related_tasks field. This oversight meant that the API would return full task details regardless of whether the user had read access to the related task's project.
Attack Vector
An attacker with valid authentication credentials can exploit this vulnerability through normal API interactions. The attack requires:
- Valid user authentication to the Vikunja instance
- Read access to at least one task that has cross-project relations
- Standard API requests to retrieve task data
When these conditions are met, the API response will include complete task objects from unauthorized projects, exposing titles, descriptions, due dates, priorities, completion percentages, and project identifiers.
return err
}
- // We need to fetch all projects for that user to make sure they only
- // get to see buckets that they have permission to see.
- projectIDs := []int64{}
- allProjects, _, _, err := getAllRawProjects(s, a, "", 0, -1, false)
- if err != nil {
- return err
- }
-
- for _, project := range allProjects {
- projectIDs = append(projectIDs, project.ID)
- }
-
buckets := make(map[int64]*Bucket)
err = s.
Where(builder.In("id", builder.Select("bucket_id").
From("task_buckets").
Where(builder.In("task_id", taskIDs)))).
And(builder.In("project_view_id", builder.Select("id").
From("project_views").
- Where(builder.In("project_id", projectIDs)))).
+ Where(accessibleProjectIDsSubquery(a, "project_views.project_id")))).
Find(&buckets)
if err != nil {
return err
Source: GitHub Commit Update
Detection Methods for CVE-2026-33676
Indicators of Compromise
- API responses containing task data from projects the authenticated user does not have explicit access to
- Unusual patterns of task retrieval requests that include related_tasks field expansions
- User activity logs showing access to task details across multiple projects without corresponding project access grants
Detection Strategies
- Monitor API logs for task retrieval requests and correlate returned project IDs against user permission assignments
- Implement audit logging for all related_tasks field expansions to track potential unauthorized data access
- Review application logs for patterns where users receive task data from projects not in their permission scope
Monitoring Recommendations
- Enable detailed API request/response logging for task endpoints in Vikunja
- Set up alerts for users accessing task data from an unusually high number of distinct projects
- Regularly audit cross-project task relationships to identify potential exposure vectors
How to Mitigate CVE-2026-33676
Immediate Actions Required
- Upgrade Vikunja to version 2.2.1 or later immediately
- Review API access logs to identify any potential exploitation of this vulnerability
- Audit cross-project task relationships to assess exposure scope
- Consider temporarily disabling cross-project task relations until the patch is applied
Patch Information
The vulnerability has been patched in Vikunja version 2.2.1. The fix implements proper authorization checks using an accessibleProjectIDsSubquery function that validates user permissions before returning related task data. The patch ensures that the API only returns task information from projects where the requesting user has verified read access.
For detailed patch information, refer to the GitHub Security Advisory, the GitHub Pull Request, and the Vikunja Changelog.
Workarounds
- Limit the creation of cross-project task relationships until the patch can be applied
- Restrict user registration and authentication to trusted users only
- Implement network-level access controls to limit API exposure
- Review and minimize the number of projects with sensitive task data that could be exposed through relations
# Configuration example
# Upgrade Vikunja to patched version
docker pull vikunja/api:2.2.1
docker-compose down
docker-compose up -d
# Verify the version after upgrade
docker exec vikunja-api vikunja version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
