Access Control Issue in Vikunja Task Management Platform
CVE-2026-33678

8.1HIGH

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-33678?

Vikunja, an open-source self-hosted task management platform, has a significant access control vulnerability that allows authenticated users to indiscriminately download or delete attachments from any task. Prior to version 2.2.1, the TaskAttachment.ReadOne() function only queried by attachment ID, neglecting to restrict access based on task ID in the URL. The lack of proper validation enables users to manipulate requests and access attachments from other projects. This enumeration flaw arises from the sequential nature of attachment IDs, making it easy for malicious actors to exploit this weakness. Version 2.2.1 addresses this security issue and improves the overall integrity of the attachment management system.

Affected Version(s)

vikunja < 2.2.1

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.2.2-was-released

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33678 Data

JSON

Go-vikunja

What is CVE-2026-33678?

Affected Version(s)

References

CVSS V3.1

Timeline