VYPR
High severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026

Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

CVE-2026-33678

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne() queries attachments by ID only (WHERE id = ?), ignoring the task ID from the URL path. The permission check in CanRead() validates access to the task specified in the URL, but ReadOne() loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
code.vikunja.io/apiGo
< 2.2.12.2.1

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.