CVE-2026-33313

Name of the Vulnerable Software and Affected Versions Vikunja (affected versions not specified)

Description An authenticated user can access task comments without proper authorization checks. Specifically, an attacker can read any task comment by ID, even if they do not have access to the associated task. This is possible by manipulating the task ID in the API URL. The /api/v1/tasks/{taskID}/comments/{commentID} API endpoint performs an authorization check against the task ID, but then loads the comment solely by its ID, bypassing verification that the comment actually belongs to that task. The CanRead function checks permissions based on the task ID from the URL, while the getTaskCommentSimple function retrieves the comment using only the comment ID, disabling struct-field filtering. This allows an attacker to bypass access controls and potentially leak sensitive information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.