CVE-2026-33680
Published: 24 March 2026
Summary
CVE-2026-33680 is a high-severity Improper Authorization (CWE-285) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations, directly preventing link share users from listing all project shares including privileged secret hashes due to the authorization bypass.
SI-2 requires timely flaw remediation, comprehensively mitigating the vulnerability by applying the Vikunja 2.2.2 patch that fixes the ReadAllWeb handler bypass.
AC-6 enforces least privilege, limiting damage from privilege escalation by ensuring link share users only access authorized shares without listing others.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in ReadAllWeb handler enables authenticated read-only users to retrieve secret hashes and escalate to admin privileges via valid higher-privilege link-share tokens.
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from…
more
reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Deeper analysisAI
CVE-2026-33680 is a vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.2.2. The issue stems from the `LinkSharing.ReadAll()` method, which allows authenticated link share users to list all link shares for a project, including their secret hashes. While the `LinkSharing.CanRead()` function correctly prevents link share users from accessing individual shares through `ReadOne()`, the `ReadAllWeb` handler bypasses this authorization check by not calling `CanRead()`. This flaw is classified under CWE-285 (Improper Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An attacker with access to a read-only link share for a project can exploit this vulnerability over the network with low complexity and no user interaction. By invoking the `ReadAll()` endpoint, they retrieve secret hashes for all link shares on that project, including those granting write or admin privileges. The attacker can then authenticate using these higher-privilege hashes, escalating from read-only access to full admin control over the project.
Vikunja version 2.2.2 patches the vulnerability by addressing the bypass in the `ReadAllWeb` handler. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory (https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9), the patching commit (https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3), and the release changelog (https://vikunja.io/changelog/vikunja-v2.2.2-was-released).
Details
- CWE(s)