Skip to main content

Suse CVE-2026-33677

| EUVDEUVD-2026-14920 MEDIUM
Information Exposure (CWE-200)
2026-03-24 GitHub_M GHSA-7c2g-p23p-4jg3
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 16:00 euvd
EUVD-2026-14920
Analysis Generated
Mar 24, 2026 - 16:00 vuln.today
CVE Published
Mar 24, 2026 - 15:36 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.

AnalysisAI

Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.

Technical ContextAI

Vikunja is an open-source self-hosted task management platform (cpe:2.3:a:go-vikunja:vikunja) built in Go that implements webhook functionality for project event notifications. The vulnerability stems from a data exposure weakness classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the API response serialization logic correctly masks sensitive HMAC secrets but fails to apply the same masking logic to BasicAuth credentials (basic_auth_user and basic_auth_password fields). This inconsistency suggests the BasicAuth fields were added in a later schema migration without implementing the existing credential-masking pattern, resulting in plaintext transmission of authentication material over API responses. The root cause is insufficient output encoding/filtering in the webhook resource representation layer.

RemediationAI

Upgrade Vikunja to version 2.2.1 or later immediately. This version includes fixes that mask BasicAuth credentials in the same manner as HMAC secrets, preventing their disclosure via the webhook API endpoint. Until patching is completed, restrict project read access to trusted collaborators only, implement network-level controls to limit API access to known internal IPs if operating in a closed environment, and audit webhook configurations to identify any credentials that may have been exposed. Organizations should rotate any BasicAuth credentials used in webhook configurations as a precaution. See the official advisory at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3 for additional guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33677 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy