CVE-2026-33676
published 2026-03-24CVE-2026-33676: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks`…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.33%
24.7th percentile
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.2.1 | 2.2.1 |
| go-vikunja | vikunja | < 2.2.1 | 2.2.1 |
| vikunja | vikunja | < 2.2.1 | 2.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
osv·2026-03-26
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.
OSV
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
osv·2026-03-25
CVE-2026-33676 [MEDIUM] Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
## Summary
When the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to.
## Details
The vulnerability is in `addRelatedTasksToTasks()` at `pkg/models/tasks.go:496-548`. This function is called by `addMoreInfoToTasks()` (line 773) during every task read operation — both project task listings (`GET /api
GHSA
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
ghsa·2026-03-25
CVE-2026-33676 [MEDIUM] CWE-863 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read
## Summary
When the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to.
## Details
The vulnerability is in `addRelatedTasksToTasks()` at `pkg/models/tasks.go:496-548`. This function is called by `addMoreInfoToTasks()` (line 773) during every task read operation — both project task listings (`GET /api
No detection rules found.
No public exploits indexed.
https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174https://github.com/go-vikunja/vikunja/pull/2449https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8vhttps://vikunja.io/changelog/vikunja-v2.2.2-was-releasedhttps://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v
2026-03-24
Published