Vikunja before 2.2.1 contains an authorization flaw where...
Critical severity
Unreviewed
Published
Jul 10, 2026
to the GitHub Advisory Database
•
Updated Jul 10, 2026
Description
Published by the National Vulnerability Database
Jul 10, 2026
Published to the GitHub Advisory Database
Jul 10, 2026
Last updated
Jul 10, 2026
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.
References