CVE-2026-33679
published 2026-03-24CVE-2026-33679: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare…
PriorityP348high7.4CVSS 3.1
AVNACLPRLUINSCCLILAL
EPSS
0.40%
31.4th percentile
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.2.1 | 2.2.1 |
| go-vikunja | vikunja | < 2.2.1 | 2.2.1 |
| vikunja | vikunja | < 2.2.1 | 2.2.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
osv·2026-03-26
CVE-2026-33679 Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download in code.vikunja.io/api.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: code.vikunja.io/api before v2.2.1.
OSV
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
osv·2026-03-25
CVE-2026-33679 [MEDIUM] Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
## Summary
The `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system.
## Details
When a user authenticates via OpenID Connect, Vikunja extracts the `picture` claim from the ID token or UserInfo endpoint and passes it to `syncUserAvatarFromOpenID`, which calls `utils.DownloadImage` with the attacker-controlled URL:
**Claim extraction** (`p
GHSA
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
ghsa·2026-03-25
CVE-2026-33679 [MEDIUM] CWE-918 Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download
## Summary
The `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system.
## Details
When a user authenticates via OpenID Connect, Vikunja extracts the `picture` claim from the ID token or UserInfo endpoint and passes it to `syncUserAvatarFromOpenID`, which calls `utils.DownloadImage` with the attacker-controlled URL:
**Claim extraction** (`p
No detection rules found.
No public exploits indexed.
2026-03-24
Published