Skip to main content

Vikunja EUVDEUVD-2026-42890

| CVE-2026-56765 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 VulnCheck GHSA-pg6g-jf8c-49p7
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Network-reachable, low-complexity IDOR exploitable without privileges or interaction via public link shares (PR:N/UI:N); reading exposes files (C:H) and deletion affects integrity and availability (I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:25 vuln.today

DescriptionCVE.org

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

AnalysisAI

Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment across all projects on a server. Two flaws chain together: the LinkSharing.ReadAll endpoint leaks share hashes to any user with read access, enabling escalation to admin-level shares, and the GetTaskAttachment endpoint validates permissions against a user-supplied task ID while fetching the attachment by an unrelated sequential ID, an insecure-direct-object-reference that ignores ownership. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach public Vikunja link share
Delivery
Call LinkSharing.ReadAll to leak share hashes
Exploit
Escalate to admin-level share access
Execution
Enumerate sequential attachment IDs via GetTaskAttachment
Persist
Download all cross-project attachments
Impact
Delete attachments instance-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Vikunja instance expose the LinkSharing and task-attachment API endpoints over the network and, for fully unauthenticated abuse, that at least one public (password-less) link share exists to provide the initial read access that leaks admin-level share hashes; the chain then abuses predictable sequential attachment IDs, so no per-file authorization is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals point to a genuine high-priority issue rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Vikunja instance - for example via any public link share - calls LinkSharing.ReadAll to harvest higher-privilege share hashes, then uses that access to invoke GetTaskAttachment while incrementing the sequential attachment ID. By walking the ID space they download every file attachment on the server regardless of project ownership, and can issue delete requests to destroy them. …
Remediation Vendor-released patch: 2.2.1 - upgrade all Vikunja instances to 2.2.1 or later as the primary fix, per GHSA-2pv8-4c52-mf8j (https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Restrict network access to Vikunja instances to authenticated corporate network only; inventory critical attachments for backup verification. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy