Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated Vikunja user can read any task comment by ID, bypassing access controls by substituting a task ID they can access in the API URL.
Vulnerability
CVE-2026-33313 is an Insecure Direct Object Reference (IDOR) vulnerability in Vikunja, an open-source self-hosted task management platform, prior to version 2.2.0. The bug exists in the GET /api/v1/tasks/{taskID}/comments/{commentID} endpoint. The authorization check validates the user's permission to read the task specified by {taskID}, but then loads the comment solely by its {commentID} without verifying that the comment actually belongs to that task. This allows an authenticated user to read any comment in the system by providing a task ID they have access to (e.g., their own task) and a comment ID from a different, potentially private, task [1][3].
Exploitation
An attacker must be authenticated and have read access to at least one task (e.g., a task they created). They can then guess or enumerate comment IDs (which are sequential integers) and craft a request like GET /api/v1/tasks/A/comments/C, where A is a task they have access to and C is the target comment ID. The authorization check passes because the attacker can read task A, and the comment is loaded by ID only, bypassing the intended access control [3].
Impact
A successful attacker can read the content and author of any task comment, including comments in private projects they are not a member of. This leaks potentially sensitive information that should be restricted to project members [1][3].
Mitigation
The vulnerability is fixed in Vikunja version 2.2.0, which was released on 2026-03-24. Users are strongly encouraged to update to this version or later [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 2.1.0 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.0
Patches
1bc6d843ed4dffix: verify comment belongs to task in URL to prevent IDOR
1 file changed · +1 −0
pkg/models/task_comments.go+1 −0 modified@@ -196,6 +196,7 @@ func (tc *TaskComment) Update(s *xorm.Session, _ web.Auth) error { func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error { exists, err := s. Where("id = ?", tc.ID). + And("task_id = ?", tc.TaskID). NoAutoCondition(). Get(tc) if err != nil {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mr3j-p26x-72x4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33313ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fdghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.