CVE-2026-33679

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1

Description Vikunja is a self-hosted task management platform. A flaw exists in the DownloadImage function within pkg/utils/avatar.go where insufficient Server-Side Request Forgery (SSRF) protection is applied when downloading user avatar images from the OpenID Connect picture claim URL. This allows an attacker controlling their OpenID Connect profile picture URL to potentially force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints, bypassing existing SSRF protections applied to the webhook system.

Recommendations Update to version 2.2.1 or later.