CVE-2026-33313

MEDIUM

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

Title source: cna

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

References (3)

[X_Refsource_Confirm] https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4

[X_Refsource_Misc] https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://vikunja.io/changelog/vikunja-v2.2.0-was-released

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

code.vikunja.io/api 0Go

go-vikunja/vikunja < 2.2.0

vikunja/vikunja < 2.2.0

Published Mar 24, 2026

Tracked Since Mar 24, 2026