Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll() method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead() correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(). An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
AnalysisAI
Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.
Technical ContextAI
This vulnerability affects Vikunja (CPE: cpe:2.3:a:go-vikunja:vikunja:*:*:*:*:*:*:*:*), a Go-based task management application. The issue stems from CWE-285 (Improper Authorization), where the LinkSharing.ReadAll() method exposes all link share tokens including their secret hashes without proper authorization checks. While the LinkSharing.CanRead() method correctly restricts link share users from reading individual shares via ReadOne, the ReadAllWeb handler completely bypasses this security control by never invoking CanRead(). This architectural flaw in the authorization layer allows authenticated users with limited permissions to access data they should not be able to view, specifically the secret hashes that grant elevated access levels.
RemediationAI
Immediately upgrade Vikunja to version 2.2.2 or later, which contains the security patch that properly enforces authorization checks in the ReadAllWeb handler (patch commit available at https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3). The official changelog with upgrade instructions is available at https://vikunja.io/changelog/vikunja-v2.2.2-was-released, and the complete security advisory can be found at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9. If immediate patching is not feasible, consider temporarily disabling link sharing functionality until the upgrade can be completed, or restrict network access to the Vikunja instance to trusted IP ranges only. Review audit logs for any suspicious activity involving link share authentication and verify that no unauthorized privilege escalation has occurred prior to patching.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14925
GHSA-8hp8-9fhr-pfm9