Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF that allows internal network data exposure
Action: Immediate Patch
AI Analysis

Impact

Vikunja is an open‑source self‑hosted task‑management platform. The migration helper functions DownloadFile and DownloadFileWithHeaders allow the server to perform arbitrary HTTP GET requests without SSRF protection. A user initiating a migration from Todoist or Trello can supply file attachment URLs from the third‑party response that point to internal network resources. The server then fetches those resources and returns them as downloadable attachments, enabling data exposure of internal assets such as configuration files, internal services, or other sensitive resources. The flaw is not a remote code execution or privilege‑elevation issue; it solely permits unauthorized read access to internal data.

Affected Systems

The issue affects all Vikunja releases older than version 2.2.1. After applying the patch shipped in Vikunja 2.2.1, the migration functions no longer perform unsanitized external requests. The problem exists only within the Todoist or Trello migration workflow, so systems that have disabled or never used that feature are not exposed.

Risk and Exploitability

The CVSS base score is 6.4, placing the vulnerability in the medium‑to‑high range. The EPSS score is below 1 %, indicating a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user or attacker to trigger a migration that includes a malicious file attachment URL; this can be achieved by compromising a third‑party account or by creating a migration request that includes a crafted URL if the system allows arbitrary URLs. No authentication bypass or elevated privileges are required beyond initiating the migration.

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Vikunja 2.2.1 or newer.
  • If a patch cannot be applied immediately, restrict migration functionality to trusted administrators and validate URLs before fetching.
  • Ensure network segmentation or firewall rules prevent the server from reaching internal resources that should not be accessed.

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g66v-54v9-52pr Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
History

Fri, 27 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions `DownloadFile` and `DownloadFileWithHeaders` in `pkg/modules/migration/helpers.go` make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
Title Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:15:30.530Z

Reserved: 2026-03-23T16:34:59.930Z

Link: CVE-2026-33675

cve-icon Vulnrichment

Updated: 2026-03-24T18:14:52.898Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:34.787

Modified: 2026-03-27T16:20:07.563

Link: CVE-2026-33675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:40Z

Weaknesses