CVE-2026-33679 MEDIUM

CVE-2026-33679: Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

Vendor Go-Vikunja

Product vikunja

Weakness CWE-918 · SSRF

Published March 24, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.

Key dates

02Disclosure timeline

March 24, 2026 CVE published

March 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33679 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2026-33679: Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections

01Description

02Disclosure timeline

03References

04Related CVE