EUVD-2026-14923CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
4Tags
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
Analysis
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today