CVE-2026-33677: Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

March 25, 2026

The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers.

References

github.com/advisories/GHSA-7c2g-p23p-4jg3
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3
nvd.nist.gov/vuln/detail/CVE-2026-33677
vikunja.io/changelog/vikunja-v2.2.2-was-released

Code Behaviors & Features

Detect and mitigate CVE-2026-33677 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →