CVE-2026-33678 in vikunja
Summary
by MITRE • 03/24/2026
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability described in CVE-2026-33678 represents a critical access control flaw in Vikunja, an open-source self-hosted task management platform. This issue stems from a fundamental misalignment between permission validation and data retrieval logic within the application's attachment handling mechanism. The flaw exists in the TaskAttachment.ReadOne() function which processes requests to access individual attachments, creating a dangerous gap between the authorization check and the actual data loading operation.
The technical implementation of this vulnerability demonstrates a classic authorization bypass pattern where the system validates permissions against one resource context while retrieving data from a different resource context. Specifically, the CanRead() function correctly validates access to the task ID provided in the URL path, ensuring that users can only access tasks they are authorized to view. However, the ReadOne() method ignores this task context and instead queries attachments using only the attachment ID parameter from the request, effectively bypassing the intended access controls. This creates a scenario where any authenticated user can exploit the sequential nature of attachment IDs to enumerate and access attachments belonging to tasks in other projects.
The operational impact of this vulnerability extends beyond simple data exposure, as it enables unauthorized users to perform destructive actions including downloading and deleting attachments from projects they should not have access to. The sequential integer nature of attachment IDs makes this attack vector particularly dangerous because it allows for automated enumeration techniques that can systematically discover and access attachments across the entire system. Attackers need only identify a single accessible task ID and then iterate through attachment IDs to gain access to any attachment within the platform's database.
This vulnerability maps directly to CWE-285 (Improper Authorization) and represents a failure in the principle of least privilege enforcement within the application's access control model. The issue also aligns with ATT&CK technique T1213.002 (External Remote Services) as it allows unauthorized access to data through legitimate application interfaces. The flaw demonstrates poor separation of concerns in the codebase where authorization logic is not properly enforced during data retrieval operations, creating a path for privilege escalation through data enumeration. The patch implemented in version 2.2.1 addresses this by ensuring that attachment retrieval operations properly validate both the attachment ID and the associated task ID, maintaining consistency between authorization checks and data access operations.
Organizations using Vikunja should prioritize immediate deployment of version 2.2.1 or later to remediate this vulnerability. Additionally, system administrators should review access logs for any suspicious activity involving attachment access patterns and consider implementing additional monitoring for unauthorized data access attempts. The vulnerability underscores the importance of maintaining consistent authorization contexts throughout application logic and demonstrates why automated security testing should include verification of access control boundaries in multi-resource applications.