Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 2.2.1 exposes webhook BasicAuth credentials via API to any read-only project collaborator, enabling credential theft.
Vulnerability
Overview
The GET /api/v1/projects/:project/webhooks endpoint in Vikunja, an open-source task management platform, returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project [1][3]. While the code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given similar treatment, leaving them exposed [3].
Exploitation
Prerequisites
An attacker only needs read-level permissions on a project to exploit this vulnerability. The ReadAll method in pkg/models/webhooks.go requires only project read access, and the BasicAuth fields are included in the JSON response without masking [3]. This allows any collaborator, including those with minimal privileges, to retrieve credentials intended for authenticating against external webhook receivers [1][3].
Impact
A malicious read-only user can steal the BasicAuth credentials configured for project webhooks. These credentials could then be used to authenticate against the external webhook receiver, potentially compromising the integrity of the webhook communication or impersonating the Vikunja instance [1][3].
Mitigation
The issue is fixed in Vikunja version 2.2.1, which was released as part of a larger security update addressing nine vulnerabilities [2]. Users are strongly encouraged to upgrade to the latest version to protect against credential exposure [1][2][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | < 2.2.1 | 2.2.1 |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7c2g-p23p-4jg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33677ghsaADVISORY
- github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.