Vikunja has a Link Share Delete IDOR

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.

Basic Information

ID CVE-2026-33700

Source GitHub_M

Published Mar 24, 2026 at 15:51

Modified Mar 24, 2026 at 18:04

Affected Product

Vendor go-vikunja

Product vikunja

Version < 2.2.1

Affected Versions go-vikunja vikunja < 2.2.1

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.",
    "published": "2026-03-24T15:51:40.172Z",
    "modified": "2026-03-24T18:04:42.445Z",
    "type": "cve",
    "title": "Vikunja has a Link Share Delete IDOR \u2014 Missing Project Ownership Check Allows Cross-Project Link Share Deletion",
    "source": "GitHub_M",
    "references": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-f95f-77jx-fcjc\nhttps://vikunja.io/changelog/vikunja-v2.2.2-was-released",
    "id": "CVE-2026-33700",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "go-vikunja vikunja < 2.2.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vikunja",
    "version": "< 2.2.1",
    "vendor": "go-vikunja",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion_CVE-2026-33700