Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue.
AnalysisAI
Vikunja prior to version 2.2.1 exposes webhook BasicAuth credentials in plaintext through the GET /api/v1/projects/:project/webhooks API endpoint to any user with read access to a project. While HMAC secrets are properly masked, the BasicAuth username and password fields added in a later migration lack equivalent protection, allowing read-only collaborators to steal credentials intended for authenticating webhook requests to external systems. This is a confirmed information disclosure vulnerability with a CVSS 6.5 score reflecting moderate real-world risk due to the requirement for authenticated project access.
Technical ContextAI
Vikunja is an open-source self-hosted task management platform (cpe:2.3:a:go-vikunja:vikunja) built in Go that implements webhook functionality for project event notifications. The vulnerability stems from a data exposure weakness classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the API response serialization logic correctly masks sensitive HMAC secrets but fails to apply the same masking logic to BasicAuth credentials (basic_auth_user and basic_auth_password fields). This inconsistency suggests the BasicAuth fields were added in a later schema migration without implementing the existing credential-masking pattern, resulting in plaintext transmission of authentication material over API responses. The root cause is insufficient output encoding/filtering in the webhook resource representation layer.
RemediationAI
Upgrade Vikunja to version 2.2.1 or later immediately. This version includes fixes that mask BasicAuth credentials in the same manner as HMAC secrets, preventing their disclosure via the webhook API endpoint. Until patching is completed, restrict project read access to trusted collaborators only, implement network-level controls to limit API access to known internal IPs if operating in a closed environment, and audit webhook configurations to identify any credentials that may have been exposed. Organizations should rotate any BasicAuth credentials used in webhook configurations as a precaution. See the official advisory at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3 for additional guidance.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14920
GHSA-7c2g-p23p-4jg3