Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll() method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead() correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(). An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja allows read-only link share users to list all share hashes via ReadAll endpoint, leading to privilege escalation to admin.
Vulnerability
CVE-2026-33680 is an authorization bypass in Vikunja's link share functionality. The ReadAllWeb handler directly calls LinkSharing.ReadAll() without first invoking CanRead(), unlike the ReadOneWeb handler which does perform the check. As a result, any user authenticated via a read-only link share can list all link shares for the same project, including their secret hashes [2].
Exploitation
An attacker with knowledge of a read-only link share URL (e.g., shared via email) can send a request to the ReadAll endpoint for the associated project. No special privileges or additional authentication are required beyond that share link. The endpoint returns the hashes of all other link shares on the project, including those with write or admin permissions [2].
Impact
Using one of the disclosed hashes, the attacker can authenticate as a higher-privileged share (write or admin) on the same project. This enables them to modify tasks, manage share settings, and, when chained with CVE-2026-33678, download or delete arbitrary file attachments across the whole instance [3]. The chain was rated critical.
Mitigation
The vulnerability is fixed in Vikunja version 2.2.2 [4]. The patch adds a check in LinkSharing.ReadAll() that blocks link share users from calling the method, returning a 403 Forbidden error [4]. All users are strongly encouraged to update immediately.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | < 2.2.2 | 2.2.2 |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.2
Patches
19efe1fadba81fix: block link share users from listing link shares in ReadAll
2 files changed · +14 −9
pkg/models/link_sharing.go+5 −0 modified@@ -230,6 +230,11 @@ func (share *LinkSharing) ReadOne(s *xorm.Session, _ web.Auth) (err error) { // @Failure 500 {object} models.Message "Internal error" // @Router /projects/{project}/shares [get] func (share *LinkSharing) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, totalItems int64, err error) { + // Don't allow link share authenticated users to list link shares + if _, is := a.(*LinkSharing); is { + return nil, 0, 0, ErrGenericForbidden{} + } + project := &Project{ID: share.ProjectID} can, _, err := project.CanRead(s, a) if err != nil {
pkg/webtests/link_sharing_test.go+9 −9 modified@@ -739,19 +739,19 @@ func TestLinkSharing(t *testing.T) { } t.Run("ReadAll", func(t *testing.T) { t.Run("Shared readonly", func(t *testing.T) { - rec, err := testHandlerLinkShareReadOnly.testReadAllWithLinkShare(nil, map[string]string{"project": "1"}) - require.NoError(t, err) - assert.Contains(t, rec.Body.String(), `"hash":"test"`) + _, err := testHandlerLinkShareReadOnly.testReadAllWithLinkShare(nil, map[string]string{"project": "1"}) + require.Error(t, err) + assert.Contains(t, getHTTPErrorMessage(err), `Forbidden`) }) t.Run("Shared write", func(t *testing.T) { - rec, err := testHandlerLinkShareWrite.testReadAllWithLinkShare(nil, map[string]string{"project": "2"}) - require.NoError(t, err) - assert.Contains(t, rec.Body.String(), `"hash":"test2"`) + _, err := testHandlerLinkShareWrite.testReadAllWithLinkShare(nil, map[string]string{"project": "2"}) + require.Error(t, err) + assert.Contains(t, getHTTPErrorMessage(err), `Forbidden`) }) t.Run("Shared admin", func(t *testing.T) { - rec, err := testHandlerLinkShareAdmin.testReadAllWithLinkShare(nil, map[string]string{"project": "3"}) - require.NoError(t, err) - assert.Contains(t, rec.Body.String(), `"hash":"test3"`) + _, err := testHandlerLinkShareAdmin.testReadAllWithLinkShare(nil, map[string]string{"project": "3"}) + require.Error(t, err) + assert.Contains(t, getHTTPErrorMessage(err), `Forbidden`) }) }) t.Run("Create", func(t *testing.T) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8hp8-9fhr-pfm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33680ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2026-4848ghsaWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.