CVE-2026-33312

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.20.2 through 2.1.9

Description Vikunja is a self-hosted task management platform. A flaw exists in the DELETE /api/v1/projects/:project/background endpoint where it incorrectly checks CanRead permission instead of CanUpdate permission. This allows any user with read-only access to a project to permanently delete the project's background image. The background file is removed from storage and cannot be recovered, constituting unauthorized data destruction. The issue resides in the RemoveProjectBackground handler within pkg/modules/background/handler/background.go, which reuses a helper function originally designed for read-only operations. The vulnerable API endpoint is /api/v1/projects/:project/background, and the vulnerable parameter is project id. The checkProjectBackgroundRights function is involved in the improper permission check.

Recommendations Vikunja versions 0.20.2 through 2.1.9 are affected and should be updated to version 2.2.0 or later.