CVE-2026-33679 Overview
CVE-2026-33679 is a Server-Side Request Forgery (SSRF) vulnerability affecting Vikunja, an open-source self-hosted task management platform. The vulnerability exists in the DownloadImage function within pkg/utils/avatar.go, which uses a bare http.Client{} without proper SSRF protections when downloading user avatar images from OpenID Connect (OIDC) picture claim URLs.
An attacker who controls their OIDC profile picture URL can exploit this flaw to force the Vikunja server to make HTTP GET requests to arbitrary internal endpoints or cloud metadata services. This vulnerability is particularly concerning because it bypasses the SSRF protections that are correctly implemented in Vikunja's webhook system, creating an inconsistent security posture.
Critical Impact
Attackers can leverage this SSRF vulnerability to access internal network resources, cloud metadata endpoints (such as AWS IMDSv1 at 169.254.169.254), or other services that should not be accessible from the Vikunja server, potentially leading to credential theft or further internal network compromise.
Affected Products
- Vikunja versions prior to 2.2.1
Discovery Timeline
- 2026-03-24 - CVE-2026-33679 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33679
Vulnerability Analysis
This SSRF vulnerability (CWE-918) stems from inconsistent security controls within the Vikunja codebase. While the webhook functionality properly implements SSRF protections to prevent requests to internal networks, the avatar download functionality was overlooked and uses an unconfigured HTTP client.
When a user authenticates via OpenID Connect, Vikunja attempts to download the user's profile picture from the URL specified in the OIDC picture claim. Since this URL is user-controlled (via the identity provider profile), an attacker can set their profile picture URL to point to any destination, including internal IP ranges, localhost services, or cloud provider metadata endpoints.
The attack scope is changed (indicated by the CVSS vector component S:C), meaning the vulnerable component can impact resources beyond its security scope. This is particularly dangerous in cloud environments where metadata services can expose sensitive credentials and configuration data.
Root Cause
The root cause is the use of a default http.Client{} in the DownloadImage function without implementing the same SSRF mitigation controls that exist elsewhere in the codebase. This represents a security inconsistency where some HTTP request paths are protected while others are not.
The vulnerable code path does not validate or sanitize the destination URL before making the request, allowing attackers to specify arbitrary URLs including:
- Internal IP addresses (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Localhost addresses (127.0.0.1, ::1)
- Cloud metadata endpoints (169.254.169.254)
- Link-local addresses
Attack Vector
The attack vector is network-based and requires low privileges (an authenticated user account via OIDC). The attacker must have the ability to control their profile picture URL in the identity provider used with Vikunja. The attack flow is as follows:
- Attacker registers or controls an account with an OIDC provider configured for Vikunja
- Attacker sets their OIDC profile picture URL to an internal target (e.g., http://169.254.169.254/latest/meta-data/iam/security-credentials/)
- Attacker authenticates to Vikunja using OIDC
- Vikunja's DownloadImage function fetches the malicious URL from the server's network context
- Response data may be processed or stored, potentially leaking sensitive internal information
For detailed technical information, see the GitHub Security Advisory.
Detection Methods for CVE-2026-33679
Indicators of Compromise
- Unexpected outbound HTTP requests from the Vikunja server to internal IP ranges
- HTTP requests to cloud metadata endpoints (169.254.169.254) originating from the Vikunja process
- OIDC authentication events followed by unusual network activity to localhost or private IP ranges
- Avatar download operations targeting non-standard URLs or IP addresses
Detection Strategies
- Monitor network traffic from Vikunja servers for connections to RFC 1918 private address ranges
- Implement DNS query logging to detect resolution of internal hostnames by the Vikunja application
- Review OIDC provider logs for user accounts with suspicious profile picture URLs
- Deploy network segmentation monitoring to detect lateral movement attempts from the Vikunja server
Monitoring Recommendations
- Enable verbose logging for the Vikunja application to capture avatar download requests and their target URLs
- Configure network-level monitoring on cloud metadata service endpoints to detect unauthorized access attempts
- Implement egress filtering rules and alert on violations from application servers
- Review application logs for failed or unusual avatar download operations
How to Mitigate CVE-2026-33679
Immediate Actions Required
- Upgrade Vikunja to version 2.2.1 or later immediately
- Review recent OIDC authentication logs for suspicious profile picture URLs
- Audit network access logs for any evidence of exploitation attempts
- Consider temporarily disabling OIDC authentication if upgrade cannot be performed immediately
Patch Information
The vulnerability has been patched in Vikunja version 2.2.1. The fix implements proper SSRF protections in the DownloadImage function, consistent with the controls already present in the webhook system.
- Patched Version: 2.2.1
- Patch Commit:363aa6642352b08fc8bc6aaff2f3a550393af1cf
- Release Notes:Vikunja Changelog
Workarounds
- Implement network-level egress filtering to block requests from the Vikunja server to internal IP ranges and cloud metadata endpoints
- Deploy a web application firewall (WAF) or proxy that validates and sanitizes outbound requests from the application
- If possible, disable OIDC profile picture synchronization until the patch can be applied
- Restrict Vikunja's network access using firewall rules to limit outbound connectivity to only necessary external services
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
