Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: IDOR allowing admin users to delete link shares from other projects
Action: Immediate Patch
AI Analysis

Impact

Vikunja’s delete endpoint for link shares does not verify that the share belongs to the project in the URL, creating an improper access control flaw. An attacker who has administrative privileges on any project can supply a different project identifier and a valid share identifier to remove link shares from projects they do not own. The result is an unauthorized deletion of shared links, which can disrupt collaborative workflows and potentially expose shared resources by removing access. The vulnerability does not provide direct code execution but impacts the integrity and availability of cross‑project link shares.

Affected Systems

Open‑source task management platform Vikunja, developed by go‑vikunja. Versions prior to 2.2.1 are affected, as the patch is included in 2.2.1 and later releases.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% shows a low likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog. Exploitation requires authenticated admin access to any project, after which an attacker crafts a DELETE request with a target share ID and an arbitrary project ID to delete cross‑project shares. No additional conditions or payloads are required beyond valid authentication and the share ID target.

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.1 or later

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f95f-77jx-fcjc Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
History

Mon, 30 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.
Title Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:04:42.445Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33700

cve-icon Vulnrichment

Updated: 2026-03-24T18:04:37.836Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:35.857

Modified: 2026-03-30T13:35:39.900

Link: CVE-2026-33700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:04Z

Weaknesses