EUVD-2026-14917
GHSA-8cmm-j6c4-rr8v
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.
Analysis
Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the `related_tasks` field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today