CVE-2026-56765
Vikunja · Vikunja
Vikunja is affected by an authorization bypass vulnerability that allows unauthenticated users to access, download, and delete sensitive project attachments instance-wide.
Executive summary
An authorization bypass in Vikunja enables unauthenticated users to perform unauthorized data access and deletion across the entire instance.
Vulnerability
The application contains an authorization flaw in the LinkSharing.ReadAll endpoint and the GetTaskAttachment endpoint. These flaws allow an unauthenticated attacker to escalate privileges to admin-level shares and access or delete files by manipulating sequential IDs without verifying ownership.
Business impact
The CVSS score of 9.8 underscores the severity of this vulnerability, which allows for a total breach of confidentiality and integrity regarding project attachments. An attacker can exploit this to exfiltrate sensitive project data or disrupt operations by deleting critical files across the entire application instance.
Remediation
Immediate Action: Upgrade Vikunja to version 2.2.1 or higher immediately to resolve the identified authorization bypass flaws.
Proactive Monitoring: Review system and application access logs for anomalous requests to attachment or sharing endpoints, specifically looking for sequential ID access patterns.
Compensating Controls: Implement strict network access controls to limit exposure of the Vikunja instance to trusted users until the patch is applied.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability is highly critical due to the ease with which it can be exploited by unauthenticated users. Organizations should prioritize patching to 2.2.1 immediately to protect against potential instance-wide data breaches and integrity loss.