Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable, low-complexity IDOR exploitable without privileges or interaction via public link shares (PR:N/UI:N); reading exposes files (C:H) and deletion affects integrity and availability (I:H/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.
AnalysisAI
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Vikunja instance expose the LinkSharing and task-attachment API endpoints over the network and, for fully unauthenticated abuse, that at least one public (password-less) link share exists to provide the initial read access that leaks admin-level share hashes; the chain then abuses predictable sequential attachment IDs, so no per-file authorization is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuine high-priority issue rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a Vikunja instance - for example via any public link share - calls LinkSharing.ReadAll to harvest higher-privilege share hashes, then uses that access to invoke GetTaskAttachment while incrementing the sequential attachment ID. By walking the ID space they download every file attachment on the server regardless of project ownership, and can issue delete requests to destroy them. … |
| Remediation | Vendor-released patch: 2.2.1 - upgrade all Vikunja instances to 2.2.1 or later as the primary fix, per GHSA-2pv8-4c52-mf8j (https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Restrict network access to Vikunja instances to authenticated corporate network only; inventory critical attachments for backup verification. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC avai
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authenticati
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to va
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potent
Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor auth
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication,
The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open
Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScr
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42890
GHSA-pg6g-jf8c-49p7