CVE-2026-33680
published 2026-03-24CVE-2026-33680: Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.40%
31.7th percentile
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.2.2 | 2.2.2 |
| go-vikunja | vikunja | < 2.2.2 | 2.2.2 |
| vikunja | vikunja | < 2.2.2 | 2.2.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
osv·2026-03-26
CVE-2026-33680 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: code.vikunja.io/api before v2.2.2.
GHSA
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
ghsa·2026-03-25
CVE-2026-33680 [HIGH] CWE-285 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
## Summary
The `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access.
## Details
The vulnerability arises from an inconsistency between the `ReadOneWeb` and `ReadAllWeb` generic handlers and the `LinkSharing` permission model.
**`LinkSharing.CanRead()` correctly bloc
OSV
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
osv·2026-03-25
CVE-2026-33680 [HIGH] Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
## Summary
The `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access.
## Details
The vulnerability arises from an inconsistency between the `ReadOneWeb` and `ReadAllWeb` generic handlers and the `LinkSharing` permission model.
**`LinkSharing.CanRead()` correctly bloc
No detection rules found.
No public exploits indexed.
2026-03-24
Published