Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of webhook BasicAuth credentials to users with read-only access to a project.
Action: Patch Update
AI Analysis

Impact

The vulnerability allows any authenticated user with read access to a project to retrieve the BasicAuth user and password fields for that project's webhooks via the GET /api/v1/projects/:project/webhooks endpoint. This unwarranted disclosure can give an attacker credentials to authenticate against external webhook receivers, enabling them to send or receive data on behalf of the project without authorization. The exposed information directly undermines the confidentiality of the external webhook integration.

Affected Systems

This issue occurs in the Vikunja task‑management platform, specifically in releases prior to 2.2.1. Users running Vikunja 2.2.0 or older are affected; the vulnerability does not exist in version 2.2.1 or later where the fix is applied.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by simply sending a request to the listed API endpoint after authenticating with any account that has read permission to the project. No additional credentials or privileges are required beyond project‑read access, making the exploit path straightforward for legitimate collaborators.

Generated by OpenCVE AI on March 27, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Vikunja version 2.2.1 or later to remove the exposed fields from the API response.
  • If upgrading immediately is not possible, revoke or reset the BasicAuth credentials for all existing webhooks to prevent reuse.
  • Limit project read‑only permissions to trusted users and monitor webhook configurations for accidental credential exposure.

Generated by OpenCVE AI on March 27, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7c2g-p23p-4jg3 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
History

Fri, 27 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
Title Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:43:43.803Z

Reserved: 2026-03-23T16:34:59.930Z

Link: CVE-2026-33677

cve-icon Vulnrichment

Updated: 2026-03-24T17:43:40.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:35.113

Modified: 2026-03-27T16:29:43.947

Link: CVE-2026-33677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:38Z

Weaknesses