Home / Vulnerability Intelligence / CVE-2026-33678

CVE-2026-33678 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 25, 2026

Vikunja - Broken Access Control

Published: March 24, 2026Updated: March 25, 2026Remote Exploitable

Overview

Vikunja < 2.2.1 contains a broken access control caused by TaskAttachment.ReadOne() querying attachments by ID without validating task ID, letting authenticated users download or delete any attachment, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Authenticated users can access or delete attachments from other projects, leading to unauthorized data access and modification.

Mitigation

Update to version 2.2.1 or later.

References

Social Media Activity(1 post)

Ivy Cyber

@ivycyber

Mar 24, 2026

🛡️ #Cybersecurity news & tips across the #fediverse “🟠 CVE-2026-33678 - High (8.1) Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, `TaskAttachment.ReadOne()` queries attachments by ID only (`WHERE id = ?`), ignoring the task ID fro...” https://mastodon.social/@thehackerwire/116285975900964242 🤖 via RSS feed. Not an endorsement.

View original post

Related Resources

Details

CVE ID: CVE-2026-33678
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: unconfirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-639

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days