CVE-2026-33679 — Server-Side Request Forgery in Vikunja

CWE-918 — Server-Side Request Forgery5 documents4 sources

Severity

7.4HIGHNVD

EPSS

0.0%

top 88.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API Vikunja

Timeline

PublishedMar 24

Latest updateMar 26

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:LExploitability: 3.1 | Impact: 3.7

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.2.1

▶CVEListV5go-vikunja/vikunja< 2.2.1

▶Gocode.vikunja.io/api< 2.2.1

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api↗2026-03-26

▶

OSV

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download↗2026-03-25

▶

GHSA

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33679 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶