Server-Side Request Forgery in Vikunja Task Management Platform
CVE-2026-33679

6.4MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33679?

Vikunja, an open-source task management platform, has a vulnerability where the DownloadImage function does not implement adequate SSRF protections when fetching user avatar images from OpenID Connect URLs. This flaw allows an attacker to manipulate their OIDC profile picture URL, causing the Vikunja server to send HTTP GET requests to any internal or cloud metadata endpoints. Since this vulnerability bypasses SSRF safeguards present in other system components, it poses a significant threat to the integrity and confidentiality of the network environment. Users are urged to upgrade to version 2.2.1 or later, which addresses this security concern.

Affected Version(s)

vikunja < 2.2.1

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/commit/363aa6642352...
x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
x_refsource_MISC

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.