CVE-2026-33677 Overview
CVE-2026-33677 is an information disclosure vulnerability in Vikunja, an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers.
Critical Impact
Read-only project collaborators can access plaintext BasicAuth credentials from webhook configurations, potentially enabling unauthorized access to external systems that trust these credentials for webhook authentication.
Affected Products
- Vikunja versions prior to 2.2.1
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33677 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33677
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue stems from an inconsistent application of credential masking within the Vikunja API. When the webhook functionality was initially implemented, the developers correctly identified the HMAC secret field as sensitive and implemented masking to prevent its exposure through API responses. However, during a subsequent migration that introduced BasicAuth support for webhooks, the basic_auth_user and basic_auth_password fields were added without the same protective treatment.
As a result, any authenticated user with read access to a project can query the webhooks endpoint and receive the full BasicAuth credentials in the API response. This design flaw violates the principle of least privilege, as read-only collaborators should not have access to sensitive authentication credentials regardless of their project membership status.
Root Cause
The root cause is an incomplete implementation of credential masking logic in the webhook API response serialization. When the BasicAuth fields were added to the webhook model in a later migration, the developers failed to extend the existing masking mechanism to cover these new sensitive fields. The codebase had established a pattern for protecting secrets but the pattern was not followed consistently when new credential fields were introduced.
Attack Vector
The attack vector is network-based and requires low-privileged access. An attacker must have read access to a project within the Vikunja instance—a common permission level for collaborators. The attack is straightforward: the attacker simply makes an authenticated GET request to /api/v1/projects/:project/webhooks for any project they can access. The API response includes the basic_auth_user and basic_auth_password values in plaintext, which the attacker can harvest and use to authenticate against external webhook receiver endpoints.
This vulnerability is particularly concerning in multi-tenant environments or organizations where project access is granted liberally. An attacker could use the stolen credentials to impersonate legitimate webhook traffic, potentially triggering unauthorized actions in external systems that trust the BasicAuth credentials for webhook authentication.
Detection Methods for CVE-2026-33677
Indicators of Compromise
- Unusual or unexpected requests to /api/v1/projects/:project/webhooks endpoints from read-only collaborators
- Multiple webhook endpoint queries across different projects from a single user account
- API access logs showing webhook configuration retrieval by users who do not typically manage integrations
- External webhook receivers reporting authentication from unexpected source IPs
Detection Strategies
- Monitor API access logs for the webhook endpoints and correlate with user permission levels
- Implement alerting for read-only users accessing sensitive configuration endpoints
- Review audit logs for patterns of systematic project enumeration followed by webhook queries
- Track failed authentication attempts on external webhook receivers that may indicate credential testing
Monitoring Recommendations
- Enable verbose logging for the /api/v1/projects/:project/webhooks API endpoint
- Configure alerts for any user with only read permissions querying webhook configurations
- Establish baseline access patterns for webhook management and alert on deviations
- Monitor external systems for unexpected webhook authentications using Vikunja-configured credentials
How to Mitigate CVE-2026-33677
Immediate Actions Required
- Upgrade Vikunja to version 2.2.1 or later immediately
- Rotate all BasicAuth credentials configured for webhooks in your Vikunja instance
- Audit API access logs to identify any potential credential exposure prior to patching
- Review external systems that receive webhooks for unauthorized activity
Patch Information
Vikunja version 2.2.1 patches this issue by extending the credential masking logic to include the basic_auth_user and basic_auth_password fields in API responses. Users should upgrade to this version or later to remediate the vulnerability. For additional details, refer to the GitHub Security Advisory and the Vikunja Changelog.
Workarounds
- Remove BasicAuth credentials from webhook configurations until the patch can be applied
- Restrict project access to only trusted users who require collaboration privileges
- Use network-level access controls to limit who can reach the Vikunja API
- Temporarily disable webhook functionality if BasicAuth credentials cannot be removed
# Configuration example
# Verify your Vikunja version to confirm patch status
vikunja version
# Expected output for patched versions: >= 2.2.1
# After upgrading, rotate webhook BasicAuth credentials
# Access your Vikunja admin panel or use the API to update webhook configurations
# with new credentials for all affected projects
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
