CVE-2026-33676
low-risk
Published 2026-03-24
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Do I need to act?
-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (5)
Issue Tracking
https://github.com/go-vikunja/vikunja/pull/2449
Release Notes
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
29
/ 100
low-risk
Severity
24/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal