CVE-2026-33680

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.2

Description Vikunja is a self-hosted task management platform. A flaw exists in the LinkSharing.ReadAll() method where authenticated users with link share access can list all link shares for a project, including their secret hashes. The ReadAllWeb handler bypasses access checks by not calling CanRead(), allowing an attacker with read-only link share access to retrieve hashes for write or admin link shares within the same project. This can lead to escalating privileges to full admin access. The vulnerable function is LinkSharing.ReadAll(). The affected API endpoint is ReadAllWeb.

Recommendations Update to version 2.2.2 or later.