CVE-2026-56765 in Vikunja
Summary
by MITRE • 07/10/2026
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability landscape within Vikunja versions prior to 21.2.1 reveals critical authorization flaws that fundamentally compromise the application's access control mechanisms. These weaknesses stem from inadequate validation of user permissions at multiple endpoint interfaces, creating pathways for unauthorized privilege escalation and data exfiltration. The primary issue manifests in the LinkSharing.ReadAll endpoint which inadvertently exposes share hashes to users possessing only read-level access permissions, effectively undermining the intended role-based access controls that should prevent such information disclosure.
The technical implementation flaw in the GetTaskAttachment endpoint demonstrates a classic case of insecure direct object reference vulnerability, where permission validation occurs against user-provided task identifiers but fails to verify ownership through sequential ID checks. This design oversight creates a scenario where authenticated users can manipulate attachment requests to access files across all projects within the instance. The vulnerability operates through a fundamental mismatch between the authorization logic and data retrieval mechanisms, allowing attackers to bypass normal access controls by exploiting the separation between task identification and attachment verification processes.
The operational impact of these vulnerabilities extends beyond simple information disclosure to encompass full administrative privilege escalation capabilities. When share hashes are exposed to read-level users, attackers can leverage this information to gain unauthorized access to administrative shares, effectively elevating their privileges within the system. The attachment endpoint vulnerability compounds this risk by enabling comprehensive file access across all projects, allowing malicious actors to download and delete any file attachments regardless of project ownership or user permissions.
These vulnerabilities align with CWE-284 (Improper Access Control) and CWE-285 (Improper Authorization) classifications, representing fundamental breakdowns in the application's security architecture. The attack patterns associated with these flaws correspond to techniques described in the ATT&CK framework under privilege escalation and credential access phases. The exposure of share hashes through read-only endpoints specifically relates to information disclosure tactics that enable attackers to gather intelligence for further exploitation while the attachment endpoint vulnerability maps to data manipulation and exfiltration techniques.
Mitigation strategies must address both the immediate authorization gaps and implement comprehensive access control validation mechanisms. Organizations should enforce strict input validation and implement proper ownership verification for all user-supplied identifiers, particularly when dealing with sequential or auto-incremented database fields. The recommended solution involves implementing robust permission checks that validate both task ownership and attachment access rights before executing any data retrieval operations. Additionally, the application should enforce separation of concerns between different access levels, ensuring that read-only users cannot obtain administrative information through indirect means. Regular security audits and code reviews focusing on authorization logic should be implemented to prevent similar issues in future development cycles, while immediate patching to version 2.2.1 or later is essential to remediate these critical vulnerabilities before they can be exploited in production environments.