CVE-2026-33677 in vikunja
Summary
by MITRE • 03/24/2026
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33677 affects Vikunja, an open-source self-hosted task management platform that enables users to organize and track their work items. This security flaw exists in versions prior to 2.2.1 and specifically targets the API endpoint responsible for retrieving webhook configurations within projects. The issue stems from improper credential handling where the system exposes sensitive authentication information through an endpoint that should only be accessible to authorized users with appropriate permissions. The vulnerability represents a significant security risk as it allows unauthorized access to webhook authentication credentials that are essential for external system integrations.
The technical flaw manifests in the `GET /api/v1/projects/:project/webhooks` endpoint where the application fails to properly mask BasicAuth credentials during response generation. While the system correctly implements masking for HMAC secrets through the `secret` field, it overlooks the BasicAuth fields `basic_auth_user` and `basic_auth_password` during the same process. This inconsistency in credential handling creates a situation where any user possessing read access to a project can obtain plaintext credentials intended for authenticating against external webhook receivers. The vulnerability occurs due to inadequate input sanitization and output filtering mechanisms that should have been applied consistently across all credential fields within the webhook configuration response.
The operational impact of this vulnerability extends beyond simple credential exposure, as it enables unauthorized users to gain access to external services that rely on these webhook endpoints for integration. Read-only collaborators can exploit this flaw to steal credentials and potentially gain unauthorized access to connected third-party applications, services, or systems that depend on the webhook configurations. This creates a vector for lateral movement within network environments where webhook integrations might be used for critical business processes, automated workflows, or system notifications. The exposure of these credentials could lead to unauthorized data access, service disruption, or even full system compromise if the external services are not properly secured.
Security professionals should consider this vulnerability in the context of CWE-542, which deals with the disclosure of sensitive information through output masking failures, and CWE-312, which addresses the exposure of sensitive data through improper handling. The issue also aligns with ATT&CK technique T1566, focusing on the initial access phase where adversaries attempt to obtain credentials for system access. Organizations using Vikunja should immediately implement the patch available in version 2.2.1, which addresses the credential masking inconsistency by ensuring that all webhook authentication fields are properly sanitized during API responses. Additionally, system administrators should review and rotate all affected webhook credentials, implement proper access controls, and monitor for potential unauthorized access attempts in their network monitoring systems. The vulnerability highlights the importance of consistent security practices across all application components and demonstrates the critical need for comprehensive credential handling mechanisms that protect sensitive data at all points of exposure.