Skip to main content

Suse EUVDEUVD-2026-14917

| CVE-2026-33676 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-24 GitHub_M GHSA-8cmm-j6c4-rr8v
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 16:00 euvd
EUVD-2026-14917
Analysis Generated
Mar 24, 2026 - 16:00 vuln.today
CVE Published
Mar 24, 2026 - 15:35 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the related_tasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

AnalysisAI

Vikunja prior to version 2.2.1 suffers from an information disclosure vulnerability where the API returns full task object details in the related_tasks field without validating the requesting user's read permissions on the related tasks' projects. An authenticated attacker can exploit cross-project task relationships to enumerate sensitive task metadata (titles, descriptions, due dates, priorities, completion percentages, project IDs) from projects they have no access to, achieving a high-confidence information disclosure with CVSS 6.5 and no active exploitation reported in known exploit databases.

Technical ContextAI

The vulnerability stems from insufficient access control checks (CWE-863: Incorrect Authorization) in Vikunja's task relationship handling logic. Vikunja is a self-hosted task management platform that supports cross-project task relations via a related_tasks field. The affected product line is identified by CPE cpe:2.3:a:go-vikunja:vikunja:*:*:*:*:*:*:*:* with versions prior to 2.2.1. When the API endpoint returns task objects, the serialization process populates related task references with complete task data structures without first performing authorization checks to confirm the requesting user has read access to the project containing each related task. This is a classic case of authorization bypass in REST API response filtering where child/related objects inherit visibility rules from the parent rather than enforcing independent permission checks.

RemediationAI

Upgrade Vikunja to version 2.2.1 or later immediately. The patch is available via the official GitHub repository at https://github.com/go-vikunja/vikunja/pull/2449 and the implementing commit 833f2aec006ac0f6643c41872e45dd79220b9174. For deployments unable to patch immediately, restrict API access to trusted network ranges using firewall rules or a reverse proxy, enforce mutual TLS authentication if applicable, and audit API access logs for suspicious enumeration patterns (repeated requests to related_tasks fields across multiple task IDs). Consider temporarily disabling cross-project task linking features at the application configuration level if the risk profile is particularly high.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-14917 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy