CVE-2026-33676

Exploit

EPSS 0.03%
Veröffentlicht 24.03.2026 15:35:37
Zuletzt bearbeitet 27.03.2026 16:12:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vikunja ≫ Vikunja Version < 2.2.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.087

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://vikunja.io/changelog/vikunja-v2.2.2-was-released

Release Notes

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v

Vendor Advisory

Exploit

https://github.com/go-vikunja/vikunja/pull/2449

Issue Tracking

https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33676

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33676

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33676

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33676