Home / Vulnerability Intelligence / CVE-2026-33678

CVE-2026-33678 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 24, 2026

Vikunja - Broken Access Control

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

Vikunja < 2.2.1 contains a broken access control caused by TaskAttachment.ReadOne() querying attachments by ID without validating task ID, letting authenticated users download or delete any attachment, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Authenticated users can access or delete attachments from other projects, leading to unauthorized data access and modification.

Mitigation

Update to version 2.2.1 or later.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
https://vikunja.io/changelog/vikunja-v2.2.2-was-released

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33678
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N