CVE-2026-33680 Overview
CVE-2026-33680 is an authorization bypass vulnerability affecting Vikunja, an open-source self-hosted task management platform. The flaw exists in the LinkSharing.ReadAll() method, which allows link share authenticated users to enumerate all link shares for a project, including their secret hashes. This vulnerability enables attackers with read-only link share access to escalate privileges to full admin access on affected projects.
Critical Impact
Attackers with read-only link share access can retrieve hashes for write or admin link shares and escalate to full administrative privileges on the affected project.
Affected Products
- Vikunja versions prior to 2.2.2
Discovery Timeline
- 2026-03-24 - CVE-2026-33680 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33680
Vulnerability Analysis
The vulnerability stems from an authorization check bypass in the Vikunja link sharing functionality. While the LinkSharing.CanRead() method correctly prevents link share users from reading individual shares via ReadOne, the ReadAllWeb handler fails to invoke this check before processing requests. This oversight allows authenticated link share users to call ReadAll() and retrieve all link shares for a project, including sensitive secret hashes.
The security flaw is classified under CWE-285 (Improper Authorization), indicating a failure to properly restrict access to sensitive functionality. An attacker who obtains a read-only link share can exploit this vulnerability to retrieve hash values for higher-privileged link shares (write or admin), then use those hashes to authenticate with elevated permissions.
Root Cause
The root cause is a missing authorization check in the ReadAll() method of the LinkSharing model. The ReadAllWeb handler processes requests without verifying whether the authenticated user (specifically, a link share authenticated user) should have access to list all link shares. The method only checks if the user can read the project, but does not verify if the user type should be allowed to enumerate link shares.
Attack Vector
The attack requires network access and can be performed without any user interaction. An attacker must possess a valid read-only link share for a target project. The exploitation sequence involves:
- Authenticating to the Vikunja API using a read-only link share token
- Calling the GET /projects/{project}/shares endpoint to retrieve all link shares
- Extracting the secret hashes from higher-privileged link shares (write or admin)
- Authenticating using the extracted admin or write link share hash
- Gaining full administrative or write access to the project
// Security patch in pkg/models/link_sharing.go - fix: block link share users from listing link shares in ReadAll
// @Failure 500 {object} models.Message "Internal error"
// @Router /projects/{project}/shares [get]
func (share *LinkSharing) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, totalItems int64, err error) {
+ // Don't allow link share authenticated users to list link shares
+ if _, is := a.(*LinkSharing); is {
+ return nil, 0, 0, ErrGenericForbidden{}
+ }
+
project := &Project{ID: share.ProjectID}
can, _, err := project.CanRead(s, a)
if err != nil {
Source: GitHub Commit Update
Detection Methods for CVE-2026-33680
Indicators of Compromise
- Unexpected API requests to /projects/{project}/shares endpoints from link share authenticated sessions
- Authentication events showing users accessing resources with multiple different link share tokens in short succession
- Access logs showing privilege escalation patterns where read-only link share users suddenly perform write or admin operations
Detection Strategies
- Monitor API access logs for requests to the link share enumeration endpoint (/projects/{project}/shares) from link share authenticated contexts
- Implement alerting for authentication events where a single client authenticates using multiple different link share tokens for the same project
- Review audit logs for unusual privilege escalation patterns within project access
Monitoring Recommendations
- Enable detailed API request logging to capture authentication context and endpoint access patterns
- Configure alerts for anomalous link share usage, particularly when read-only shares are used to enumerate share listings
- Implement rate limiting on link share authentication endpoints to slow potential exploitation attempts
How to Mitigate CVE-2026-33680
Immediate Actions Required
- Upgrade Vikunja to version 2.2.2 or later immediately
- Review existing link shares on all projects and regenerate admin and write link shares as a precaution
- Audit access logs for any suspicious enumeration of link shares prior to patching
Patch Information
The vulnerability is patched in Vikunja version 2.2.2. The fix adds an explicit check in the ReadAll() method to block link share authenticated users from listing link shares, returning an ErrGenericForbidden{} error when such access is attempted.
For detailed patch information, see the GitHub Commit Update and the Vikunja Changelog Release.
Workarounds
- Disable or remove link sharing functionality on sensitive projects until patching is complete
- Restrict network access to the Vikunja API to trusted networks if possible
- Regenerate all link shares after applying the patch to invalidate potentially compromised hashes
# Configuration example - Verify Vikunja version after upgrade
vikunja version
# Expected output: v2.2.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
