Skip to main content

Suse CVE-2026-33312

| EUVDEUVD-2026-13708 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-20 GitHub_M GHSA-564f-wx8x-878h
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 15:00 euvd
EUVD-2026-13708
Analysis Generated
Mar 20, 2026 - 15:00 vuln.today
CVE Published
Mar 20, 2026 - 14:42 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Version 2.2.0 fixes the issue.

AnalysisAI

A permission-check bypass vulnerability exists in Vikunja versions 0.20.2 through 2.1.x where the DELETE /api/v1/projects/:project/background endpoint incorrectly validates CanRead permissions instead of CanUpdate permissions, allowing read-only project members to permanently delete a project's background image. This affects the go-vikunja:vikunja product family, and the vulnerability has been patched in version 2.2.0 as documented in the GitHub security advisory GHSA-564f-wx8x-878h.

Technical ContextAI

Vikunja is an open-source self-hosted task management platform written in Go (cpe:2.3:a:go-vikunja:vikunja). The vulnerability stems from incorrect authorization logic in the REST API endpoint responsible for background image management. The root cause is classified under CWE-863 (Incorrect Authorization), a design-level flaw where the application fails to enforce proper role-based access control. Specifically, the endpoint checks for read-only access (CanRead capability) when it should enforce write or administrative access (CanUpdate capability), allowing privilege escalation where read-only users can perform destructive administrative operations on shared project resources.

RemediationAI

Upgrade Vikunja to version 2.2.0 or later immediately. This patch corrects the authorization logic to require CanUpdate permissions for background deletion. Users unable to upgrade immediately should restrict project read-only access to trusted users only, implement network-level access controls to limit API exposure, and audit project member permissions to remove unnecessary read-only grants. For self-hosted deployments, consider temporarily disabling background image functionality via configuration if available. Consult the vendor advisory at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-564f-wx8x-878h for deployment-specific guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy