CVE-2026-33678: Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

March 25, 2026

TaskAttachment.ReadOne() queries attachments by ID only (WHERE id = ?), ignoring the task ID from the URL path. The permission check in CanRead() validates access to the task specified in the URL, but ReadOne() loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a target attachment ID. Attachment IDs are sequential integers, making enumeration trivial.

References

github.com/advisories/GHSA-jfmm-mjcp-8wq2
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
nvd.nist.gov/vuln/detail/CVE-2026-33678
vikunja.io/changelog/vikunja-v2.2.2-was-released

Code Behaviors & Features

Detect and mitigate CVE-2026-33678 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →