Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the related_tasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 2.2.1 leaks full task details from inaccessible projects via the `related_tasks` API field due to missing authorization checks.
Vulnerability
Overview
CVE-2026-33676 is an information disclosure vulnerability in Vikunja, an open-source self-hosted task management platform. The root. The bug resides in the addRelatedTasksToTasks() function in pkg/models/tasks.go (lines 496-548). When the API returns a task, it populates the related_tasks field with full task objects for all related tasks without verifying whether the requesting user has read permission on those tasks' projects [1][2]. The a web.Auth parameter is received but only used for determining favorites, never for access control on the related tasks themselves [2].
Exploitation
An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to [1]. The vulnerability is triggered during every task read operation — both project task listings (GET /api/v1/projects/{id}/views/{id}/tasks) and single task reads (GET /api/v1/tasks/{id}) [2]. No special privileges beyond authentication are required; the attacker simply needs to be able to view a task that has relations to tasks in other projects.
Impact
An attacker gains unauthorized access to sensitive task information from projects they should not be able to see. This includes task titles, descriptions, due dates, priority levels, completion percentages, and project IDs [1]. The information disclosure could reveal project structure, deadlines, or confidential details to unauthorized users.
Mitigation
The issue is patched in Vikunja version 2.2.1 [1][3]. Users are strongly advised to update as soon as possible, as this release also addresses eight other security vulnerabilities, some of which can be chained for critical impact [3]. No workarounds are mentioned in the advisories.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | < 2.2.1 | 2.2.1 |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.1
Patches
1833f2aec006arefactor: use accessibleProjectIDsSubquery in addBucketsToTasks
1 file changed · +1 −13
pkg/models/tasks.go+1 −13 modified@@ -562,26 +562,14 @@ func addBucketsToTasks(s *xorm.Session, a web.Auth, taskIDs []int64, taskMap map return err } - // We need to fetch all projects for that user to make sure they only - // get to see buckets that they have permission to see. - projectIDs := []int64{} - allProjects, _, _, err := getAllRawProjects(s, a, "", 0, -1, false) - if err != nil { - return err - } - - for _, project := range allProjects { - projectIDs = append(projectIDs, project.ID) - } - buckets := make(map[int64]*Bucket) err = s. Where(builder.In("id", builder.Select("bucket_id"). From("task_buckets"). Where(builder.In("task_id", taskIDs)))). And(builder.In("project_view_id", builder.Select("id"). From("project_views"). - Where(builder.In("project_id", projectIDs)))). + Where(accessibleProjectIDsSubquery(a, "project_views.project_id")))). Find(&buckets) if err != nil { return err
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8cmm-j6c4-rr8vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33676ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/pull/2449ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8vghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.