Authorization Flaw in Vikunja Affects Data Security and Access Control
CVE-2026-56765

9.3CRITICAL

Key Information:

Vendor

Vikunja

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56765?

The Vikunja application prior to version 2.2.1 suffers from an authorization vulnerability that exposes sensitive share hashes through the LinkSharing.ReadAll endpoint. This flaw enables users with read access to escalate permissions, potentially gaining access to admin-level shares. Additionally, the GetTaskAttachment endpoint improperly checks user permissions against provided task IDs and retrieves attachments based on sequential IDs, without confirming ownership. This oversight allows malicious users to download and delete all file attachments across various projects, resulting in a significant breach of data integrity across user instances.

Affected Version(s)

Vikunja 0 < 2.2.1

Vikunja 2.2.1

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

offset
.