CVE-2026-33680
Published: 24 March 2026
Summary
CVE-2026-33680 is a high-severity Improper Authorization (CWE-285) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33680 is a vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.2.2. The issue stems from the `LinkSharing.ReadAll()` method, which allows authenticated link share users to list all link shares for a project, including their secret hashes. While the `LinkSharing.CanRead()` function correctly prevents link share users from accessing individual shares through `ReadOne()`, the `ReadAllWeb` handler bypasses this authorization check by not calling `CanRead()`. This flaw is classified under CWE-285 (Improper Authorization) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An attacker with access to a read-only link share for a project can exploit this vulnerability over the network with low complexity and no user interaction. By invoking the `ReadAll()` endpoint, they retrieve secret hashes for all link shares on that project, including those granting write or admin privileges. The attacker can then authenticate using these higher-privilege hashes, escalating from read-only access to full admin control over the project.
Vikunja version 2.2.2 patches the vulnerability by addressing the bypass in the `ReadAllWeb` handler. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory (https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9), the patching commit (https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3), and the release changelog (https://vikunja.io/changelog/vikunja-v2.2.2-was-released).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14925
Vulnerability details
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from…
more
reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authorization in ReadAllWeb handler enables authenticated read-only users to retrieve secret hashes and escalate to admin privileges via valid higher-privilege link-share tokens.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations, directly preventing link share users from listing all project shares including privileged secret hashes due to the authorization bypass.
SI-2 requires timely flaw remediation, comprehensively mitigating the vulnerability by applying the Vikunja 2.2.2 patch that fixes the ReadAllWeb handler bypass.
AC-6 enforces least privilege, limiting damage from privilege escalation by ensuring link share users only access authorized shares without listing others.