CVE-2026-33678

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. A flaw exists where the TaskAttachment.ReadOne() function queries attachments using only the ID, disregarding the task ID from the URL. The permission check in CanRead() verifies access to the task in the URL, but ReadOne() can load attachments from other tasks. This allows authenticated users to potentially download or delete any attachment by manipulating the task ID. Attachment IDs are sequential integers, simplifying the process of identifying them. The function TaskAttachment.ReadOne() is vulnerable.

Recommendations Update to version 2.2.1 or later.