CVE-2026-33676

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. Before version 2.2.1, the API, when returning tasks, included complete task objects in the related tasks field without verifying if the user had permission to view the projects those related tasks belonged to. This allowed an authenticated user with access to a task with cross-project relationships to obtain details—including title, description, due dates, priority, percent completion, and project ID—of tasks in projects they were not authorized to access. The API endpoint responsible for returning tasks populates the related tasks field with sensitive information. The vulnerable parameter is related tasks.

Recommendations Upgrade to version 2.2.1 or later.