CVE-2026-56765

Vikunja · Vikunja

Vikunja is affected by an authorization bypass vulnerability that allows unauthenticated users to access, download, and delete sensitive project attachments instance-wide.

Executive summary

An authorization bypass in Vikunja enables unauthenticated users to perform unauthorized data access and deletion across the entire instance.

Vulnerability

The application contains an authorization flaw in the LinkSharing.ReadAll endpoint and the GetTaskAttachment endpoint. These flaws allow an unauthenticated attacker to escalate privileges to admin-level shares and access or delete files by manipulating sequential IDs without verifying ownership.

Business impact

The CVSS score of 9.8 underscores the severity of this vulnerability, which allows for a total breach of confidentiality and integrity regarding project attachments. An attacker can exploit this to exfiltrate sensitive project data or disrupt operations by deleting critical files across the entire application instance.

Remediation

Immediate Action: Upgrade Vikunja to version 2.2.1 or higher immediately to resolve the identified authorization bypass flaws.

Proactive Monitoring: Review system and application access logs for anomalous requests to attachment or sharing endpoints, specifically looking for sequential ID access patterns.

Compensating Controls: Implement strict network access controls to limit exposure of the Vikunja instance to trusted users until the patch is applied.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is highly critical due to the ease with which it can be exploited by unauthenticated users. Organizations should prioritize patching to 2.2.1 immediately to protect against potential instance-wide data breaches and integrity loss.