GHSA-2pv8-4c52-mf8j: Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR
Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment ReadOne/GetTaskAttachment endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential ID without verifying the attachment belongs to that task, enabling cross-project file access.
References
- github.com/advisories/GHSA-2pv8-4c52-mf8j
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j
- github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
- github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
- vikunja.io/changelog/vikunja-v2.2.2-was-released
Code Behaviors & Features
Detect and mitigate GHSA-2pv8-4c52-mf8j with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →