Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server–Side Request Forgery via avatar download
Action: PatchImmediately
AI Analysis

Impact

The vulnerable code path would download a user’s avatar image from the URL stored in the OpenID Connect profile picture claim without applying any SSRF safeguards. An attacker who can control that URL can coerce the Vikunja server into sending HTTP requests to any internal or cloud–metadata endpoint, revealing sensitive internal data or enabling further lateral movement. The flaw is a classic SSRF vulnerability (CWE–918) that bypasses protections already enforced for the webhook feature.

Affected Systems

The issue affects the Vikunja self‑hosted task management platform, specifically versions prior to 2.2.1. The product is provided by the vendor go‑vikunja under the name Vikunja. All installations that use an OpenID Connect authentication flow for user accounts are potentially impacted, as the avatar download is triggered automatically based on the picture claim.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to register or control an OpenID Connect identity where the picture URL can be set to a malicious endpoint, from which the server will issue the outbound request. Once triggered, the server could reach internal addresses or cloud‑metadata services, but the ability to read or modify data depends on the internal environment and access controls.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vikunja installation to version 2.2.1 or later.
  • If an upgrade cannot be performed immediately, enforce restrictions on the OpenID Connect provider so that the picture claim cannot point to external hosts, or disable avatar fetching if the application offers such a setting.
  • Monitor outbound HTTP traffic from the Vikunja server for unexpected internal requests and investigate any anomalies.
  • Ensure the existing webhook SSRF protections remain active and correctly configured.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9xj-752q-xh63 Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
History

Mon, 30 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Title Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:34:14.519Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33679

cve-icon Vulnrichment

Updated: 2026-03-24T17:34:06.154Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:35.420

Modified: 2026-03-30T13:56:01.700

Link: CVE-2026-33679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:06Z

Weaknesses