Vikunja has Cross-Project Information Disclosure via Task Relations

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

Basic Information

ID CVE-2026-33676

Source GitHub_M

Published Mar 24, 2026 at 15:35

Modified Mar 24, 2026 at 18:55

Affected Product

Vendor go-vikunja

Product vikunja

Version < 2.2.1

Affected Versions go-vikunja vikunja < 2.2.1

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.",
    "published": "2026-03-24T15:35:37.991Z",
    "modified": "2026-03-24T18:55:19.706Z",
    "type": "cve",
    "title": "Vikunja has Cross-Project Information Disclosure via Task Relations \u2014 Missing Authorization Check on Related Task Read",
    "source": "GitHub_M",
    "references": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v\nhttps://github.com/go-vikunja/vikunja/pull/2449\nhttps://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174\nhttps://vikunja.io/changelog/vikunja-v2.2.2-was-released",
    "id": "CVE-2026-33676",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "go-vikunja vikunja < 2.2.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vikunja",
    "version": "< 2.2.1",
    "vendor": "go-vikunja",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read_CVE-2026-33676