Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Vulnerability

Overview

CVE-2026-33700 is an insecure direct object reference (IDOR (IDOR) vulnerability in Vikunja, an open-source self-hosted task management platform. The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share being deleted belongs to the project specified in the URL. The permission check in canDoLinkShare validates admin access on the project from the :project parameter, but the Delete method at pkg/models/link_sharing.go:305 queries only WHERE id = ? using the share ID, without verifying it belongs to the URL-specified project [1][3].

Exploitation

An attacker with admin access to any project can exploit this by providing their own project ID combined with the target share ID. For example, User A creates Project A and a link share (share ID = X). User B creates Project B (gaining admin access) and calls DELETE /api/v1/projects/{projectB_id}/shares/{X}. The permission check passes because User B is admin on Project B, and the delete executes WHERE id = X, deleting User A's link share [3]. Link share IDs are sequential integers, making enumeration trivial to enumerate [3].

Impact

An authenticated user with admin access to any project can delete link shares belonging to any other project in the system, disrupting collaboration by removing shared access links [1][3]. This is the same vulnerability class as GHSA-jfmm-mjcp-8wq2 (task attachment IDOR) and the fixed GHSA-mr3j-p26x-72x4 (task comment IDOR) [3].

Mitigation

Vikunja version 2.2.1 patches the issue by adding a project_id check in the delete query [1][2]. The recommended fix changes the delete to WHERE id = ? AND project_id = ? [3]. Users are strongly encouraged to update to 2.2.1 or later [2].