{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33676", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.930Z", "datePublished": "2026-03-24T15:35:37.991Z", "dateUpdated": "2026-03-24T18:55:19.706Z"}, "containers": {"cna": {"title": "Vikunja has Cross-Project Information Disclosure via Task Relations \u2014 Missing Authorization Check on Related Task Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v"}, {"name": "https://github.com/go-vikunja/vikunja/pull/2449", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/pull/2449"}, {"name": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:35:37.991Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue."}], "source": {"advisory": "GHSA-8cmm-j6c4-rr8v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:55:10.269836Z", "id": "CVE-2026-33676", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:55:19.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33676", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:55:10.269836Z"}}}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:55:03.924Z"}}], "cna": {"title": "Vikunja has Cross-Project Information Disclosure via Task Relations \u2014 Missing Authorization Check on Related Task Read", "source": {"advisory": "GHSA-8cmm-j6c4-rr8v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.2.1"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/pull/2449", "name": "https://github.com/go-vikunja/vikunja/pull/2449", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174", "name": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174", "tags": ["x_refsource_MISC"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:35:37.991Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33676", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:55:19.706Z", "dateReserved": "2026-03-23T16:34:59.930Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T15:35:37.991Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto y autoalojada. Antes de la versi\u00f3n 2.2.1, cuando la API de Vikunja devuelve tareas, rellena el campo 'related_tasks' con objetos de tarea completos para todas las tareas relacionadas sin verificar si el usuario solicitante tiene permiso de lectura sobre los proyectos de esas tareas. Un usuario autenticado que puede leer una tarea que tiene relaciones entre proyectos recibir\u00e1 detalles completos (t\u00edtulo, descripci\u00f3n, fechas de vencimiento, prioridad, porcentaje de finalizaci\u00f3n, ID de proyecto, etc.) de tareas en proyectos a los que no tiene acceso. La versi\u00f3n 2.2.1 corrige el problema."}], "id": "CVE-2026-33676", "lastModified": "2026-03-27T16:12:26.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T16:16:34.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/go-vikunja/vikunja/pull/2449"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-24T17:22:31.076980+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.2.1 or later, which removes the missing authorization check on related tasks."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Vikunja, the open\u2011source self\u2011hosted task management platform, is affected on all releases prior to version 2.2.1. Users running earlier versions of Vikunja are vulnerable; the issue is fixed in release 2.2.1.", "description_and_impact": "The vulnerability allows an authenticated user to read full details of related tasks that belong to projects they are not authorized to access. When a task is retrieved via the API, the related_tasks field is populated with complete task objects for all linked tasks, even if the user lacks read permission on the other project. This amounts to an information disclosure that can reveal titles, descriptions, due dates, priority, completion percentage, and project identifiers. The weakness is an authorization check failure (CWE\u2011863).", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not widely exploited. The attack vector is likely via legitimate API calls made by an authenticated user who has read access to at least one project containing the target task. Once the API is called for a task with cross\u2011project relations, the attacker receives sensitive data from excluded projects, resulting in a confidentiality compromise. The exploitation requires no special external conditions beyond normal API usage by an authenticated user."}}}}, "created": "2026-03-25T11:47:09.899798+00:00", "updated": "2026-03-25T20:49:54.518287+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}