Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne() queries attachments by ID only (WHERE id = ?), ignoring the task ID from the URL path. The permission check in CanRead() validates access to the task specified in the URL, but ReadOne() loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-33678 is an IDOR vulnerability in Vikunja prior to v2.2.1 where authenticated users can download or delete any attachment by using a known attachment ID with an accessible task, due to a missing task ownership check.
Vulnerability
CVE-2026-33678 is an insecure direct object reference (IDOR) flaw in Vikunja, an open-source task management platform. The TaskAttachment.ReadOne() method queries attachments solely by attachment ID (WHERE id = ?), ignoring the associated task ID from the URL path [1][2]. The CanRead() permission check evaluates the task ID present in the URL, but ReadOne() then loads a different attachment if the attachment ID does not belong to that task [2]. This mismatch means the system validates access to the user's own task but fetches an arbitrary attachment.
Exploitation
Both read and delete operations are affected. For a GET request, the handler calls CanRead (which checks the URL task) and then ReadOne, which loads any attachment by its ID [2]. For DELETE, the handler uses CanDelete (again checking access to the URL task) and then Delete, which internally calls ReadOne to load the attachment before removing it [2]. Attachment IDs are sequential integers, making them easy to enumerate [1]. An authenticated user can supply any attachment ID (e.g., /api/v1/tasks/OWN_TASK_ID/attachments/TARGET_ATTACHMENT_ID) to read or delete attachments belonging to other users' projects.
Impact
This vulnerability allows any authenticated user to download or delete any file attachment stored in the Vikunja instance, regardless of project ownership [1][2]. An attacker who can access one task—even one they created—can pivot to read or destroy attachments from any other task in the system. The same flaw was previously fixed for task comments, suggesting a recurring pattern in the codebase [2].
Mitigation
The vulnerability is patched in Vikunja version 2.2.1 [1][3]. The patch adds a check to ensure the attachment ID belongs to the specified task before performing the read or delete operation. Users are strongly advised to update immediately, as this bug was part of a chain (with CVE-2026-33680) that could enable full administrative access [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | < 2.2.1 | 2.2.1 |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jfmm-mjcp-8wq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33678ghsaADVISORY
- github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.