Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the related_tasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
AnalysisAI
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the related_tasks field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
Technical ContextAI
The vulnerability stems from insufficient access control checks (CWE-863: Incorrect Authorization) in Vikunja's task relationship handling logic. Vikunja is a self-hosted task management platform that supports cross-project task relations via a related_tasks field. The affected product line is identified by CPE cpe:2.3:a:go-vikunja:vikunja:*:*:*:*:*:*:*:* with versions prior to 2.2.1. When the API endpoint returns task objects, the serialization process populates related task references with complete task data structures without first performing authorization checks to confirm the requesting user has read access to the project containing each related task. This is a classic case of authorization bypass in REST API response filtering where child/related objects inherit visibility rules from the parent rather than enforcing independent permission checks.
RemediationAI
Upgrade Vikunja to version 2.2.1 or later immediately. The patch is available via the official GitHub repository at https://github.com/go-vikunja/vikunja/pull/2449 and the implementing commit 833f2aec006ac0f6643c41872e45dd79220b9174. For deployments unable to patch immediately, restrict API access to trusted network ranges using firewall rules or a reverse proxy, enforce mutual TLS authentication if applicable, and audit API access logs for suspicious enumeration patterns (repeated requests to related_tasks fields across multiple task IDs). Consider temporarily disabling cross-project task linking features at the application configuration level if the risk profile is particularly high.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14917
GHSA-8cmm-j6c4-rr8v