Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 2.2.1 uses an unhardened HTTP client to download avatar images from OpenID Connect picture claims, enabling SSRF attacks against internal and metadata endpoints.
Vikunja is an open-source task management platform. In versions prior to 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL [1][2]. This contrasts with the webhook system, which correctly applies a hardened client that blocks non-routable IPs [2]. The vulnerable code path is triggered when a user authenticates via OpenID Connect: the picture claim is extracted from the ID token or UserInfo endpoint and passed to syncUserAvatarFromOpenID, which calls utils.DownloadImage with the attacker-controlled URL [2].
An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints [1][2]. The default HTTP client does not block private IP ranges, meaning the server can be used to probe services such as internal APIs or cloud instance metadata services (e.g., http://169.254.169.254/) [2]. No additional authentication is required beyond being able to set a custom OIDC picture claim, which is possible when the attacker controls the OIDC identity provider or the claim is accepted from a user-controlled source [2].
The impact is a server-side request forgery (SSRF) vulnerability. An attacker can probe internal networks, access sensitive cloud metadata (e.g., AWS, GCP, Azure credentials), and potentially pivot to internal services that are not intended to be exposed [1][2]. This bypasses the SSRF protections that are correctly applied elsewhere in Vikunja, such as for webhooks [2]. The vulnerability is rated with a CVSS 4.0 vector awaiting full NVD assessment [1].
Vikunja version 2.2.1 patches this issue [1][2][3]. The release introduces a centralized SSRF protection layer with a shared HTTP client and new outgoingrequests config keys, replacing per-feature SSRF checks and covering all outgoing requests including avatar downloads [3]. Users are strongly advised to update to version 2.2.1 or later [3]. The vulnerability is also tracked as GHSA-g9xj-752q-xh63 and GO-2026-4852 [2][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | < 2.2.1 | 2.2.1 |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.1
Patches
1363aa6642352fix: prevent SSRF via OpenID Connect avatar download (GHSA-g9xj-752q-xh63)
1 file changed · +1 −1
pkg/utils/avatar.go+1 −1 modified@@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) { return nil, fmt.Errorf("failed to create HTTP request: %w", err) } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim + resp, err := NewSSRFSafeHTTPClient().Do(req) if err != nil { return nil, fmt.Errorf("failed to download image: %w", err) }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-g9xj-752q-xh63ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33679ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cfghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4852ghsaWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.