Skip to main content

Suse CVE-2026-33313

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-20 https://github.com/go-vikunja/vikunja GHSA-mr3j-p26x-72x4
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 17:30 vuln.today
Patch released
Mar 20, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 20, 2026 - 17:25 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to.

Details

The GET /api/v1/tasks/{taskID}/comments/{commentID} endpoint performs an authorization check against the task ID provided in the URL path, then loads the comment by its own ID without verifying it belongs to that task.

Root Cause

In pkg/models/task_comment_permissions.go, CanRead constructs a Task using the TaskID from the URL and checks Task.CanRead:

go
func (tc *TaskComment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
    t := Task{ID: tc.TaskID}
    return t.CanRead(s, a)
}

In pkg/models/task_comments.go, getTaskCommentSimple loads the comment by ID only, with NoAutoCondition() explicitly disabling XORM's implicit struct-field filtering:

go
func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error {
    exists, err := s.
        Where("id = ?", tc.ID).
        NoAutoCondition().
        Get(tc)
    // ...
}

The generic web handler (pkg/web/handler/read_one.go) calls CanRead before ReadOne, so the permission check passes against the attacker-controlled task ID, and then ReadOne returns the comment from a completely different task.

Attack Scenario

  1. Attacker is authenticated and has read access to any task (task ID A) - e.g. their own task.
  2. Attacker guesses or enumerates a comment ID (C) belonging to a task in another user's private project.
  3. Attacker requests: GET /api/v1/tasks/A/comments/C
  4. Authorization passes because the attacker can read task A.
  5. The comment C is loaded by ID only and returned, leaking its contents and author.

Credit

This vulnerability was found using GitHub Security Lab Taskflows.

AnalysisAI

An authenticated user in Vikunja can read any task comment by its ID without proper authorization checks, regardless of whether they have access to the task that comment belongs to. The vulnerability exists in the GET /api/v1/tasks/{taskID}/comments/{commentID} endpoint, which validates access against the attacker-controlled task ID in the URL but then loads the comment by ID alone, bypassing task ownership verification. Any authenticated attacker with read access to at least one task can enumerate and retrieve comments from arbitrary tasks and private projects, leading to unauthorized information disclosure.

Technical ContextAI

The vulnerability affects the Vikunja API (pkg:go/code.vikunja.io_api), a task management and project planning application written in Go. The root cause is a broken access control pattern classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where two separate authorization and data-loading steps are desynchronized. The TaskComment.CanRead() method in pkg/models/task_comment_permissions.go constructs a Task object using only the TaskID from the URL path and checks authorization against that task, but the subsequent getTaskCommentSimple() function in pkg/models/task_comments.go loads the comment by its own ID with XORM's implicit field filtering explicitly disabled via NoAutoCondition(). This design flaw allows an attacker to satisfy the authorization check for one task while retrieving comments from an entirely different task, effectively decoupling authorization logic from data retrieval.

RemediationAI

Administrators should upgrade Vikunja to a version incorporating commit bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd or later. The patch is available from the vendor repository at https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd. The fix corrects the authorization logic in TaskComment.CanRead() to verify that the requested comment actually belongs to the task being authorized, not just that the attacker has access to some task. Until patching is possible, apply defense-in-depth controls: restrict API access to trusted IP ranges or VPN, enforce HTTPS with strict TLS certificates, implement rate limiting on the comments endpoint to detect enumeration attempts, audit API access logs for patterns of comment ID enumeration across multiple tasks, and consider temporarily disabling the comments API endpoint if it is not critical to operations. Monitor the official Vikunja GitHub repository and security advisory channels for patch availability and release notes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy