Information Disclosure in Vikunja Task Management Platform
CVE-2026-33676

6.5MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33676?

An information disclosure vulnerability in Vikunja allows authenticated users to retrieve sensitive details regarding tasks from projects to which they do not have access. Specifically, when the Vikunja API returns tasks, it erroneously populates the related_tasks field with complete task objects, including details such as titles, descriptions, due dates, priorities, and project IDs. This oversight can expose private information, impacting user privacy and project security. The issue is resolved in version 2.2.1, which includes checks to ensure that user permissions are enforced appropriately.

Affected Version(s)

vikunja < 2.2.1

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2449
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/833f2aec006a...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.