Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of project background images
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from an incorrect permission check on the DELETE /api/v1/projects/:project/background API endpoint. Instead of verifying that the user has the CanUpdate permission, the system checks for CanRead, allowing any user with read‑only access to a project to permanently delete its background image. This unauthorized modification removes a stored asset and violates integrity expectations but does not grant broader system access or cause direct data leakage; it represents a missing authorization check (CWE-863).

Affected Systems

The affected software is the Vikunja self‑hosted task‑management platform, produced by go‑vikunja. Versions from 0.20.2 up to just before 2.2.0 are impacted. The vulnerability is fixed in Vikunja 2.2.0, which updates the permission logic to require CanUpdate for deletion. Users running any earlier release should assess whether they have read‑only roles with access to project images.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests low exploitation probability in the wild. It is not listed in the CISA KEV catalog. An attacker needs only an authenticated read‑only account on the target project and can perform the delete operation via the exposed API, making the attack vector remote and low‑effort. The primary impact is loss of the project background image, potentially affecting user experience and visual cues, but it does not compromise data confidentiality or overall system integrity beyond the asset removal.

Generated by OpenCVE AI on March 24, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.0 or later, as the issue is fixed in that release.
  • Confirm that read‑only users no longer have the ability to delete background images by testing the endpoint.
  • If an upgrade is not immediately feasible, restrict read‑only user access to the /api/v1/projects/:project/background endpoint via network controls or API gateway rules.

Generated by OpenCVE AI on March 24, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-564f-wx8x-878h Vikunja read-only users can delete project background images via broken object-level authorization
History

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.
Title Read-only Vikunja users can delete project background images via broken object-level authorization
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T19:24:20.400Z

Reserved: 2026-03-18T21:23:36.676Z

Link: CVE-2026-33312

cve-icon Vulnrichment

Updated: 2026-03-20T19:24:00.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T15:16:18.010

Modified: 2026-03-24T21:17:38.897

Link: CVE-2026-33312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:21Z

Weaknesses