Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
Published: 2026-03-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch
AI Analysis

Impact

Vikunja, an open‑source task management platform, has an IDOR that permits any authenticated user to read comments for tasks they are not authorized to see. The flaw arises because the comment API requires only a task ID, allowing attackers to substitute the ID of a task they normally can access and bypass the task‑level permission check. The weakness is classified as CWE‑639, and the impact is a confidentiality breach of comment content without affecting integrity or availability.

Affected Systems

All instances of Vikunja running versions prior to 2.2.0 are affected. The product is developed by go‑vikunja under the vendor name Vikunja. Version 2.2.0 and later contain a patch, so only deployments using v2.1.x or earlier are vulnerable.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. No EPSS data is available. Exploitation requires simply being authenticated to the system; no elevated privileges are needed. An attacker who can log in can enumerate comment content across tasks, potentially exposing sensitive operational information.

Generated by OpenCVE AI on March 24, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Vikunja v2.2.0 or later to eliminate the IDOR.

Generated by OpenCVE AI on March 24, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mr3j-p26x-72x4 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
Title Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:14:22.348Z

Reserved: 2026-03-18T21:23:36.676Z

Link: CVE-2026-33313

cve-icon Vulnrichment

Updated: 2026-03-24T17:14:11.342Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:35.073

Modified: 2026-03-24T19:21:12.970

Link: CVE-2026-33313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:50:06Z

Weaknesses