CVE-2026-33700: Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

March 25, 2026

The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID.

References

github.com/advisories/GHSA-f95f-77jx-fcjc
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/security/advisories/GHSA-f95f-77jx-fcjc
nvd.nist.gov/vuln/detail/CVE-2026-33700
vikunja.io/changelog/vikunja-v2.2.2-was-released

Code Behaviors & Features

Detect and mitigate CVE-2026-33700 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →