Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check in the Vikunja API allows an authenticated user who can read a task that has cross‑project relations to receive full details of related tasks in projects they are not authorized to view. The returned data includes title, description, due dates, priority, percent completion, and project identifier, permitting an attacker to learn confidential task information beyond their permitted scope. The weakness aligns with CWE‑863, unauthorized access to resources due to insufficient authorization checks.

Affected Systems

The vulnerability affects the Vikunja task‑management platform distributed by go‑vikunja. Versions released before 2.2.1 are impacted; the issue is fixed in version 2.2.1 and later releases such as 2.2.2. Administrators should verify that their deployments are upgraded to at least 2.2.1.

Risk and Exploitability

The Common Vulnerability Scoring System rate of 6.5 indicates a moderate severity. The Exploit Prediction Scoring System shows a very low probability of exploitation (under 1 %). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires the user to be authenticated and to possess read access to at least one task with cross‑project relations; the attacker then issues a standard API call to retrieve task information, exposing data from otherwise inaccessible projects.

Generated by OpenCVE AI on March 27, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.1 or newer as soon as possible.

Generated by OpenCVE AI on March 27, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8cmm-j6c4-rr8v Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
History

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Title Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:55:19.706Z

Reserved: 2026-03-23T16:34:59.930Z

Link: CVE-2026-33676

cve-icon Vulnrichment

Updated: 2026-03-24T18:55:03.924Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:34.947

Modified: 2026-03-27T16:12:26.620

Link: CVE-2026-33676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:39Z

Weaknesses