CVE-2026-33312 — Incorrect Authorization in API

CWE-863 — Incorrect Authorization5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 87.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.vikunja.io API Vikunja Go-vikunja Vikunja

Timeline

PublishedMar 20

Latest updateMar 23

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDvikunja/vikunja0.20.2 — 2.2.0

▶Gocode.vikunja.io/api0.20.2 — 2.2.0+1

▶CVEListV5go-vikunja/vikunja>= 0.20.2, < 2.2.0

🔴Vulnerability Details

OSV

Vikunja read-only users can delete project background images via broken object-level authorization in code.vikunja.io/api↗2026-03-23

▶

OSV

Vikunja read-only users can delete project background images via broken object-level authorization↗2026-03-20

▶

GHSA

Vikunja read-only users can delete project background images via broken object-level authorization↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33312 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶