Suse
CVE-2026-33313
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to.
Details
The GET /api/v1/tasks/{taskID}/comments/{commentID} endpoint performs an authorization check against the task ID provided in the URL path, then loads the comment by its own ID without verifying it belongs to that task.
Root Cause
In pkg/models/task_comment_permissions.go, CanRead constructs a Task using the TaskID from the URL and checks Task.CanRead:
func (tc *TaskComment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
t := Task{ID: tc.TaskID}
return t.CanRead(s, a)
}In pkg/models/task_comments.go, getTaskCommentSimple loads the comment by ID only, with NoAutoCondition() explicitly disabling XORM's implicit struct-field filtering:
func getTaskCommentSimple(s *xorm.Session, tc *TaskComment) error {
exists, err := s.
Where("id = ?", tc.ID).
NoAutoCondition().
Get(tc)
// ...
}The generic web handler (pkg/web/handler/read_one.go) calls CanRead before ReadOne, so the permission check passes against the attacker-controlled task ID, and then ReadOne returns the comment from a completely different task.
Attack Scenario
- Attacker is authenticated and has read access to any task (task ID
A) - e.g. their own task. - Attacker guesses or enumerates a comment ID (
C) belonging to a task in another user's private project. - Attacker requests:
GET /api/v1/tasks/A/comments/C - Authorization passes because the attacker can read task
A. - The comment
Cis loaded by ID only and returned, leaking its contents and author.
Credit
This vulnerability was found using GitHub Security Lab Taskflows.
AnalysisAI
An authenticated user in Vikunja can read any task comment by its ID without proper authorization checks, regardless of whether they have access to the task that comment belongs to. The vulnerability exists in the GET /api/v1/tasks/{taskID}/comments/{commentID} endpoint, which validates access against the attacker-controlled task ID in the URL but then loads the comment by ID alone, bypassing task ownership verification. Any authenticated attacker with read access to at least one task can enumerate and retrieve comments from arbitrary tasks and private projects, leading to unauthorized information disclosure.
Technical ContextAI
The vulnerability affects the Vikunja API (pkg:go/code.vikunja.io_api), a task management and project planning application written in Go. The root cause is a broken access control pattern classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where two separate authorization and data-loading steps are desynchronized. The TaskComment.CanRead() method in pkg/models/task_comment_permissions.go constructs a Task object using only the TaskID from the URL path and checks authorization against that task, but the subsequent getTaskCommentSimple() function in pkg/models/task_comments.go loads the comment by its own ID with XORM's implicit field filtering explicitly disabled via NoAutoCondition(). This design flaw allows an attacker to satisfy the authorization check for one task while retrieving comments from an entirely different task, effectively decoupling authorization logic from data retrieval.
RemediationAI
Administrators should upgrade Vikunja to a version incorporating commit bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd or later. The patch is available from the vendor repository at https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd. The fix corrects the authorization logic in TaskComment.CanRead() to verify that the requested comment actually belongs to the task being authorized, not just that the attacker has access to some task. Until patching is possible, apply defense-in-depth controls: restrict API access to trusted IP ranges or VPN, enforce HTTPS with strict TLS certificates, implement rate limiting on the comments endpoint to detect enumeration attempts, audit API access logs for patterns of comment ID enumeration across multiple tasks, and consider temporarily disabling the comments API endpoint if it is not critical to operations. Monitor the official Vikunja GitHub repository and security advisory channels for patch availability and release notes.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mr3j-p26x-72x4