Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-33676
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-24 Mar, 2026 | 16:16
Updated At-27 Mar, 2026 | 16:12

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
vikunja
vikunja
>>vikunja>>Versions before 2.2.1(exclusive)
cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-863Secondarysecurity-advisories@github.com
CWE ID: CWE-863
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174security-advisories@github.com
Patch
https://github.com/go-vikunja/vikunja/pull/2449security-advisories@github.com
Issue Tracking
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8vsecurity-advisories@github.com
Exploit
Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.2-was-releasedsecurity-advisories@github.com
Release Notes
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
Hyperlink: https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/go-vikunja/vikunja/pull/2449
Source: security-advisories@github.com
Resource:
Issue Tracking
Hyperlink: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://vikunja.io/changelog/vikunja-v2.2.2-was-released
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Vendor Advisory
Change History
0Changes found
Details not found