CVE-2026-33676 MEDIUM

CVE-2026-33676: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vendor Go-Vikunja

Product vikunja

Weakness CWE-863 · Incorrect authorization

Published March 24, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

Key dates

02Disclosure timeline

March 24, 2026 CVE published

March 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33676

Related vulnerabilities

CVE-2026-33676: Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

01Description

02Disclosure timeline

03References

04Related CVE