Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

Vikunja’s TaskAttachment.ReadOne endpoint retrieves an attachment solely by ID, ignoring the task ID in the request path. Because the permission check enforces access only to the task specified in the URL, an attacker can supply any accessible task ID and an arbitrary attachment ID. This causes the system to load an attachment that may belong to a different project, enabling authenticated users to download or delete files that they should not have access to. The weakness is a form of Insecure Direct Object Reference (CWE‑639).

Affected Systems

The flaw affects installations of the Vikunja task‑management platform prior to version 2.2.1. Vulnerable applications include the open‑source self‑hosted system at the cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:* range. Any instance running an affected software version is susceptible, regardless of deployment size.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high‑severity vulnerability. EPSS is under 1%, suggesting that exploitation density is currently low, and the issue is not listed in CISA’s KEV catalog. Nonetheless, the use of sequential numeric IDs makes attachment enumeration trivial, and any authenticated user can construct a request that deletes or downloads any file in the system. Attackers must first authenticate to the Vikunja instance, but no special privileges are required beyond valid credentials.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.1 or later.
  • Verify that the installed version matches the latest patch.
  • Limit user access to attachments by enforcing least‑privilege permissions and monitor attachment activity for unusual access patterns.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfmm-mjcp-8wq2 Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
History

Mon, 30 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Title Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:04:42.454Z

Reserved: 2026-03-23T16:34:59.930Z

Link: CVE-2026-33678

cve-icon Vulnrichment

Updated: 2026-03-24T17:04:32.665Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:35.270

Modified: 2026-03-30T13:57:13.337

Link: CVE-2026-33678

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:07Z

Weaknesses