CVE-2026-33700 — Authorization Bypass Through User-Controlled Key in Vikunja

CWE-639 — Authorization Bypass Through User-Controlled Key5 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 87.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API Vikunja

Timeline

PublishedMar 24

Latest updateMar 26

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.2.1

▶CVEListV5go-vikunja/vikunja< 2.2.1

▶Gocode.vikunja.io/api< 2.2.1

🔴Vulnerability Details

OSV

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api↗2026-03-26

▶

GHSA

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion↗2026-03-25

▶

OSV

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33700 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶