Read-only Vikunja users can delete project background images via broken object-level authorization
Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja's project background deletion endpoint uses a read-only permission check, allowing read-only users to permanently delete background images.
Vikunja is an open-source self-hosted task management platform. In versions 0.20.2 through 2.1.1, the DELETE /api/v1/projects/:project/background endpoint incorrectly checks for CanRead permission instead of CanUpdate [1][3]. This flaw arises because the RemoveProjectBackground handler reuses the checkProjectBackgroundRights helper, which was originally written for the read-only GetProjectBackground endpoint, and only verifies read access [3].
Exploitation
An attacker can exploit this vulnerability by gaining any form of read-only access to a target project. This includes being directly shared a project with read permission, being part of a team with read access, obtaining a link share token with read scope, or possessing a read-scoped API token [3]. No further authentication bypass is required; a valid authenticated request with such read-only credentials to the vulnerable endpoint will succeed.
Impact
Successful exploitation results in the permanent deletion of the project's background image [1][3]. The background file is removed from storage, and the project's background_file_id and background_blur_hash fields are cleared, actions which cannot be undone [3]. This constitutes unauthorized data destruction, affecting the visual integrity of the project for all users.
Mitigation
The vulnerability is fixed in Vikunja version 2.2.0, which was released alongside nine other security fixes [1][2]. Users are strongly advised to update to the latest version; no workaround is mentioned in the advisories [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | >= 0.20.2, < 2.2.0 | 2.2.0 |
Affected products
2- go-vikunja/vikunjav5Range: >= 0.20.2, < 2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-564f-wx8x-878hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33312ghsaADVISORY
- github.com/go-vikunja/vikunja/security/advisories/GHSA-564f-wx8x-878hghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.