CVE-2026-33678
Published: 24 March 2026
Summary
CVE-2026-33678 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for accessing resources like attachments, directly preventing the bypass where attachments are loaded without task ID validation.
SI-10 mandates validation of information inputs such as attachment IDs against the task context, mitigating user-controlled key bypass via enumeration.
AC-6 enforces least privilege, limiting authenticated users' access to only necessary tasks and projects, reducing the scope of exploitable attachments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is an IDOR/authz bypass in a self-hosted web app (Vikunja) allowing low-priv authenticated users to read/delete arbitrary attachments via manipulated IDs; directly enables exploitation of public-facing apps (T1190), exploitation for privilege escalation to unauthorized data (T1068), and collection from an information repository/task management system (T1213).
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID from the URL path. The permission check in `CanRead()` validates access to the task…
more
specified in the URL, but `ReadOne()` loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.
Deeper analysisAI
CVE-2026-33678 is a vulnerability in Vikunja, an open-source self-hosted task management platform. Prior to version 2.2.1, the `TaskAttachment.ReadOne()` function queries attachments solely by their ID (`WHERE id = ?`), disregarding the task ID from the URL path. While the `CanRead()` permission check validates access to the task in the URL, `ReadOne()` subsequently loads an attachment that may belong to a different task or project, enabling unauthorized access. This issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Any authenticated user with low privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By supplying a task ID they have legitimate access to alongside a target attachment ID, attackers can download or delete arbitrary attachments across the system. Since attachment IDs are sequential integers, brute-force enumeration is straightforward, allowing comprehensive access to sensitive files without needing elevated permissions.
The GitHub security advisory (GHSA-jfmm-mjcp-8wq2) and Vikunja changelog detail the patch in version 2.2.1, which fixes the query to properly incorporate the task ID for authorization enforcement. Users should upgrade to version 2.2.1 or later to mitigate the issue.
Details
- CWE(s)