CVE-2026-33677

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. The GET /api/v1/projects/:project/webhooks API endpoint exposes BasicAuth credentials (basic auth user and basic auth password) in plaintext to users with read access to the project. The HMAC secret field is masked, but the BasicAuth fields were not, allowing read-only collaborators to potentially steal credentials used for authenticating external webhook receivers.

Recommendations Update to version 2.2.1 or later.