CVE-2026-33677 MEDIUM

CVE-2026-33677: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vendor Go-Vikunja

Product vikunja

Weakness CWE-200 · Info exposure

Published March 24, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.

Key dates

02Disclosure timeline

March 24, 2026 CVE published

March 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33677 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2026-33677: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

01Description

02Disclosure timeline

03References

04Related CVE