Skip to main content

Suse EUVDEUVD-2026-14925

| CVE-2026-33680 HIGH
Improper Authorization (CWE-285)
2026-03-24 GitHub_M GHSA-8hp8-9fhr-pfm9
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 16:00 euvd
EUVD-2026-14925
Analysis Generated
Mar 24, 2026 - 16:00 vuln.today
CVE Published
Mar 24, 2026 - 15:47 nvd
HIGH 7.5

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll() method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead() correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(). An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.

AnalysisAI

Vikunja, an open-source self-hosted task management platform, contains an authorization bypass vulnerability that allows attackers with read-only link share access to escalate privileges to full admin access. The ReadAllWeb handler fails to enforce proper access controls when listing link shares, exposing secret hashes for higher-privilege shares. Versions prior to 2.2.2 are affected, and a patch is available in version 2.2.2.

Technical ContextAI

This vulnerability affects Vikunja (CPE: cpe:2.3:a:go-vikunja:vikunja:*:*:*:*:*:*:*:*), a Go-based task management application. The issue stems from CWE-285 (Improper Authorization), where the LinkSharing.ReadAll() method exposes all link share tokens including their secret hashes without proper authorization checks. While the LinkSharing.CanRead() method correctly restricts link share users from reading individual shares via ReadOne, the ReadAllWeb handler completely bypasses this security control by never invoking CanRead(). This architectural flaw in the authorization layer allows authenticated users with limited permissions to access data they should not be able to view, specifically the secret hashes that grant elevated access levels.

RemediationAI

Immediately upgrade Vikunja to version 2.2.2 or later, which contains the security patch that properly enforces authorization checks in the ReadAllWeb handler (patch commit available at https://github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3). The official changelog with upgrade instructions is available at https://vikunja.io/changelog/vikunja-v2.2.2-was-released, and the complete security advisory can be found at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9. If immediate patching is not feasible, consider temporarily disabling link sharing functionality until the upgrade can be completed, or restrict network access to the Vikunja instance to trusted IP ranges only. Review audit logs for any suspicious activity involving link share authentication and verify that no unauthorized privilege escalation has occurred prior to patching.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-14925 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy