Skip to main content

Suse EUVDEUVD-2026-14921

| CVE-2026-33678 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-24 GitHub_M GHSA-jfmm-mjcp-8wq2
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 16:00 euvd
EUVD-2026-14921
Analysis Generated
Mar 24, 2026 - 16:00 vuln.today
CVE Published
Mar 24, 2026 - 15:44 nvd
HIGH 8.1

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne() queries attachments by ID only (WHERE id = ?), ignoring the task ID from the URL path. The permission check in CanRead() validates access to the task specified in the URL, but ReadOne() loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial. Version 2.2.1 patches the issue.

AnalysisAI

Vikunja, an open-source self-hosted task management platform, contains an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to access or delete attachments belonging to other users' tasks. The vulnerability affects all versions prior to 2.2.1, enabling attackers to enumerate and download attachments by combining their own valid task ID with sequential attachment IDs. With a CVSS score of 8.1 (High severity), this represents a significant confidentiality and integrity risk, though no evidence of active exploitation (KEV) or public proof-of-concept has been reported.

Technical ContextAI

The vulnerability affects Vikunja task management platform (CPE: cpe:2.3:a:go-vikunja:vikunja) and stems from CWE-639 (Authorization Bypass Through User-Controlled Key). The root cause lies in the TaskAttachment.ReadOne() function, which queries attachments using only the attachment ID parameter without validating that the attachment belongs to the task specified in the URL path. While the CanRead() permission check validates access to the task in the URL, the subsequent ReadOne() operation retrieves attachments based solely on attachment ID, creating a classic IDOR vulnerability. Because attachment IDs are sequential integers rather than unpredictable tokens, attackers can trivially enumerate all attachments in the system by iterating through ID values.

RemediationAI

Upgrade Vikunja to version 2.2.1 or later immediately, as documented in the official security advisory at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2 and release changelog at https://vikunja.io/changelog/vikunja-v2.2.2-was-released. Version 2.2.1 patches the issue by properly validating that attachment IDs belong to the task specified in the URL path before allowing read or delete operations. As a temporary mitigation until patching is possible, consider restricting user registration to trusted users only, implementing enhanced logging to detect suspicious attachment access patterns, and reviewing access logs for sequential attachment ID requests that may indicate exploitation attempts. No effective workaround exists that fully addresses the vulnerability without upgrading.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-14921 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy