Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.

INFO

Published Date :

2026-03-24T15:44:06.336Z

Last Modified :

2026-03-24T17:04:42.454Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33678 vulnerability.

Vendors Products
Go-vikunja
  • Vikunja
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33678.

URL Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2 cve-icon cve-icon
https://vikunja.io/changelog/vikunja-v2.2.2-was-released cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact