Skip to main content

Suse CVE-2026-33675

| EUVDEUVD-2026-14916 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-24 GitHub_M
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 15:45 euvd
EUVD-2026-14916
Analysis Generated
Mar 24, 2026 - 15:45 vuln.today
CVE Published
Mar 24, 2026 - 15:33 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.

AnalysisAI

Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.

Technical ContextAI

The vulnerability exists in the migration module of Vikunja (cpe:2.3:a:go-vikunja:vikunja), specifically in the functions DownloadFile and DownloadFileWithHeaders located in pkg/modules/migration/helpers.go. These functions perform unconstrained HTTP GET requests without SSRF protection mechanisms such as URL validation, private IP range filtering, or DNS rebinding defenses. When users import tasks from third-party platforms like Todoist or Trello via Vikunja's migration feature, the attachment URLs returned by those APIs are passed directly to these download functions without sanitization. This represents a classic CWE-918 (Server-Side Request Forgery) vulnerability where user-controlled or attacker-influenced input (the attachment URLs) is used to construct server-initiated network requests, allowing the attacker to probe internal network topology, access internal services, or retrieve sensitive data from localhost or private IP ranges.

RemediationAI

Upgrade Vikunja to version 2.2.1 or later immediately, as this version includes SSRF protections in the migration helper functions. The patch is available in the upstream repository at https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e. Until patching is completed, restrict migration functionality to trusted administrator accounts only by enforcing role-based access controls on the Todoist and Trello migration features. Additionally, implement network segmentation to prevent the Vikunja server from reaching internal services—use egress firewall rules to block outbound connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8, 169.254.0.0/16) and to local metadata services.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33675 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy