Skip to main content

Suse CVE-2026-33679

| EUVDEUVD-2026-14923 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-24 GitHub_M
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 16:00 euvd
EUVD-2026-14923
Analysis Generated
Mar 24, 2026 - 16:00 vuln.today
CVE Published
Mar 24, 2026 - 15:46 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.

AnalysisAI

Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.

Technical ContextAI

The vulnerability exists in the DownloadImage function within pkg/utils/avatar.go of the Vikunja task management platform (identified by CPE cpe:2.3:a:go-vikunja:vikunja). The root cause is classified under CWE-918 (Server-Side Request Forgery), which occurs when an application fetches remote resources based on user-controlled input without proper validation. Specifically, when processing the picture claim from OpenID Connect provider responses, the code instantiates a bare http.Client{} without implementing SSRF protections such as URL scheme validation, private IP range blocking, or DNS resolution filtering. This contrasts sharply with the webhook system in the same codebase, which correctly implements such protections, indicating this is a consistency/oversight issue rather than a systemic design flaw. The attacker-controlled URL can target internal services (e.g., internal APIs on RFC1918 addresses) or cloud provider metadata endpoints (e.g., AWS EC2 metadata service at 169.254.169.254), creating information disclosure risk.

RemediationAI

Upgrade Vikunja to version 2.2.1 or later, which includes the patched DownloadImage function with proper SSRF protections. The official vendor security advisory is available at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63 and the fix can be reviewed at https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf. For deployments where immediate patching is not feasible, implement network segmentation to restrict the Vikunja server's outbound HTTP/HTTPS access to only trusted OIDC provider domains and their CDNs, and disable or restrict OIDC authentication if it is not essential. Additionally, configure firewall rules to prevent access from the Vikunja server to internal metadata endpoints (169.254.169.254 for AWS) and RFC1918 address ranges.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33679 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy