CVE-2026-33680: Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
(updated )
The LinkSharing.ReadAll() method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead() correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(). An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access.
References
- github.com/advisories/GHSA-8hp8-9fhr-pfm9
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/9efe1fadba817923c7c7f5953c3e9e9c5683bbf3
- github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
- nvd.nist.gov/vuln/detail/CVE-2026-33680
- pkg.go.dev/vuln/GO-2026-4848
- vikunja.io/changelog/vikunja-v2.2.2-was-released
Code Behaviors & Features
Detect and mitigate CVE-2026-33680 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →