{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33676", "tracking": { "current_release_date": "2026-03-27T20:50:25.271231Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33676", "initial_release_date": "2026-03-24T20:51:33.170922Z", "revision_history": [ { "date": "2026-03-24T20:51:33.170922Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-24T20:51:36.238806Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:51:37.136042Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-24T20:51:40.130675Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:53:20.388316Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-25T21:49:51.947034Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (6).| CWES updated (1)." }, { "date": "2026-03-25T21:50:00.595567Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:12:48.199317Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (5).| CWES updated (1)." }, { "date": "2026-03-26T00:12:54.441785Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-26T00:50:05.448277Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T00:50:15.506238Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:14:08.811773Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (5)." }, { "date": "2026-03-27T00:14:11.891116Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:45:48.261922Z", "number": "14", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-27T19:45:50.339871Z", "number": "15", "summary": "NCSC Score updated." } ], "status": "interim", "version": "15" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.2.1", "product": { "name": "vers:unknown/>=0|<2.2.1", "product_id": "CSAFPID-5911160" } } ], "category": "product_name", "name": "api" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.2.1", "product": { "name": "vers:unknown/<2.2.1", "product_id": "CSAFPID-5902472" } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "go-vikunja" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.2.1", "product": { "name": "vers:unknown/<2.2.1", "product_id": "CSAFPID-5943812", "product_identification_helper": { "cpe": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "vikunja" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33676", "cwe": { "id": "CWE-863", "name": "Incorrect Authorization" }, "notes": [ { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33676.json" }, { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33676" }, { "category": "description", "text": "## Summary\n\nWhen the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to.\n\n## Details\n\nThe vulnerability is in `addRelatedTasksToTasks()` at `pkg/models/tasks.go:496-548`. This function is called by `addMoreInfoToTasks()` (line 773) during every task read operation — both project task listings (`GET /api/v1/projects/{id}/views/{id}/tasks`) and single task reads (`GET /api/v1/tasks/{id}`).\n\nThe function fetches all related tasks directly from the database without any permission filtering:\n\n```go\n// pkg/models/tasks.go:496-548\nfunc addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]*Task, a web.Auth) (err error) {\n relatedTasks := []*TaskRelation{}\n err = s.In(\"task_id\", taskIDs).Find(&relatedTasks)\n // ...\n fullRelatedTasks := make(map[int64]*Task)\n err = s.In(\"id\", relatedTaskIDs).Find(&fullRelatedTasks) // Line 514: NO permission check\n // ...\n for _, rt := range relatedTasks {\n // Directly adds to response without checking if user can read the related task\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind] = append(\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind], otherTask)\n }\n}\n```\n\nThe `a web.Auth` parameter is received but only used for determining favorites (line 519), never for access control on the related tasks themselves.\n\nIn contrast, `addBucketsToTasks()` (line 550+) in the same file correctly filters enrichment data by calling `getAllRawProjects(s, a, ...)` to scope results to projects the requesting user can access.\n\nWhile task relation **creation** properly enforces authorization (`task_relation_permissions.go:32-52` checks write access on the base task and read access on the other task), the relation **display** path does not re-check permissions for the current reader. This means a privileged user can create a relation that then leaks data to all other users who can read the base task.\n\n## PoC\n\n**Setup:** Two users (User A, User B), two projects (Project-Shared, Project-Private).\n- User A has access to both projects.\n- User B has access only to Project-Shared.\n- Task 1 exists in Project-Shared, Task 2 exists in Project-Private.\n\n**Step 1: User A creates a relation between the two tasks**\n\n```bash\n# As User A (who has access to both projects)\ncurl -X PUT \"http://localhost:3456/api/v1/tasks/TASK1_ID/relations\" \\\n -H \"Authorization: Bearer USER_A_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"other_task_id\": TASK2_ID, \"relation_kind\": \"related\"}'\n```\n\nExpected: 201 Created (User A has write on Task 1, read on Task 2).\n\n**Step 2: User B reads tasks from the shared project**\n\n```bash\n# As User B (who has NO access to Project-Private)\ncurl \"http://localhost:3456/api/v1/projects/PROJECT_SHARED_ID/views/VIEW_ID/tasks\" \\\n -H \"Authorization: Bearer USER_B_TOKEN\"\n```\n\nExpected: Task 1 should be returned, but related_tasks should NOT include Task 2.\n\n**Actual result:** The response includes Task 1 with the `related_tasks` field containing the full Task 2 object, including its `title`, `description`, `due_date`, `priority`, `percent_done`, `project_id`, and other metadata — despite User B having no access to Project-Private.\n\n## Impact\n\n- **Information disclosure**: Any authenticated user can read the full metadata of tasks in projects they do not have access to, as long as a relation exists from a task they can read.\n- **Leaked fields include**: title, description, due dates, start dates, priority, percent completion, project ID, hex color, task index, done status, repeat configuration, cover image attachment ID, and creation/update timestamps.\n- **Project structure disclosure**: The `project_id` field reveals the existence and IDs of private projects.\n- **No user interaction required**: Once a privileged user creates a cross-project relation (which is intentionally allowed), the data leak is automatic for all readers of the base task.\n- **Blast radius**: Affects all Vikunja instances with cross-project task relations. In multi-tenant or team environments where projects have different access scopes, this undermines project-level access control.\n\n## Recommended Fix\n\nFilter related tasks by the requesting user's read permissions before adding them to the response. In `addRelatedTasksToTasks()`, after fetching full task objects, check that the user can read each related task's project:\n\n```go\nfunc addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]*Task, a web.Auth) (err error) {\n relatedTasks := []*TaskRelation{}\n err = s.In(\"task_id\", taskIDs).Find(&relatedTasks)\n if err != nil {\n return\n }\n\n var relatedTaskIDs []int64\n for _, rt := range relatedTasks {\n relatedTaskIDs = append(relatedTaskIDs, rt.OtherTaskID)\n }\n\n if len(relatedTaskIDs) == 0 {\n return\n }\n\n fullRelatedTasks := make(map[int64]*Task)\n err = s.In(\"id\", relatedTaskIDs).Find(&fullRelatedTasks)\n if err != nil {\n return\n }\n\n // Filter related tasks by user's read permission\n allowedProjectIDs := make(map[int64]bool)\n checkedProjectIDs := make(map[int64]bool)\n for _, t := range fullRelatedTasks {\n if checkedProjectIDs[t.ProjectID] {\n continue\n }\n checkedProjectIDs[t.ProjectID] = true\n p := &Project{ID: t.ProjectID}\n canRead, _, err := p.CanRead(s, a)\n if err != nil {\n log.Errorf(\"Could not check project read permission: %v\", err)\n continue\n }\n if canRead {\n allowedProjectIDs[t.ProjectID] = true\n }\n }\n\n taskFavorites, err := getFavorites(s, relatedTaskIDs, a, FavoriteKindTask)\n if err != nil {\n return err\n }\n\n for _, rt := range relatedTasks {\n task, has := fullRelatedTasks[rt.OtherTaskID]\n if !has {\n continue\n }\n // Skip related tasks the user cannot access\n if !allowedProjectIDs[task.ProjectID] {\n continue\n }\n fullRelatedTasks[rt.OtherTaskID].IsFavorite = taskFavorites[rt.OtherTaskID]\n otherTask := &Task{}\n err = copier.Copy(otherTask, fullRelatedTasks[rt.OtherTaskID])\n if err != nil {\n log.Errorf(\"Could not duplicate task object: %v\", err)\n continue\n }\n otherTask.RelatedTasks = nil\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind] = append(\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind], otherTask)\n }\n\n return\n}\n```\n\nThis checks project-level read permission once per unique project ID (cached in `allowedProjectIDs`) and skips related tasks from projects the user cannot access.", "title": "github - https://api.github.com/advisories/GHSA-8cmm-j6c4-rr8v" }, { "category": "description", "text": "## Summary\n\nWhen the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to.\n\n## Details\n\nThe vulnerability is in `addRelatedTasksToTasks()` at `pkg/models/tasks.go:496-548`. This function is called by `addMoreInfoToTasks()` (line 773) during every task read operation — both project task listings (`GET /api/v1/projects/{id}/views/{id}/tasks`) and single task reads (`GET /api/v1/tasks/{id}`).\n\nThe function fetches all related tasks directly from the database without any permission filtering:\n\n```go\n// pkg/models/tasks.go:496-548\nfunc addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]*Task, a web.Auth) (err error) {\n relatedTasks := []*TaskRelation{}\n err = s.In(\"task_id\", taskIDs).Find(&relatedTasks)\n // ...\n fullRelatedTasks := make(map[int64]*Task)\n err = s.In(\"id\", relatedTaskIDs).Find(&fullRelatedTasks) // Line 514: NO permission check\n // ...\n for _, rt := range relatedTasks {\n // Directly adds to response without checking if user can read the related task\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind] = append(\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind], otherTask)\n }\n}\n```\n\nThe `a web.Auth` parameter is received but only used for determining favorites (line 519), never for access control on the related tasks themselves.\n\nIn contrast, `addBucketsToTasks()` (line 550+) in the same file correctly filters enrichment data by calling `getAllRawProjects(s, a, ...)` to scope results to projects the requesting user can access.\n\nWhile task relation **creation** properly enforces authorization (`task_relation_permissions.go:32-52` checks write access on the base task and read access on the other task), the relation **display** path does not re-check permissions for the current reader. This means a privileged user can create a relation that then leaks data to all other users who can read the base task.\n\n## PoC\n\n**Setup:** Two users (User A, User B), two projects (Project-Shared, Project-Private).\n- User A has access to both projects.\n- User B has access only to Project-Shared.\n- Task 1 exists in Project-Shared, Task 2 exists in Project-Private.\n\n**Step 1: User A creates a relation between the two tasks**\n\n```bash\n# As User A (who has access to both projects)\ncurl -X PUT \"http://localhost:3456/api/v1/tasks/TASK1_ID/relations\" \\\n -H \"Authorization: Bearer USER_A_TOKEN\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"other_task_id\": TASK2_ID, \"relation_kind\": \"related\"}'\n```\n\nExpected: 201 Created (User A has write on Task 1, read on Task 2).\n\n**Step 2: User B reads tasks from the shared project**\n\n```bash\n# As User B (who has NO access to Project-Private)\ncurl \"http://localhost:3456/api/v1/projects/PROJECT_SHARED_ID/views/VIEW_ID/tasks\" \\\n -H \"Authorization: Bearer USER_B_TOKEN\"\n```\n\nExpected: Task 1 should be returned, but related_tasks should NOT include Task 2.\n\n**Actual result:** The response includes Task 1 with the `related_tasks` field containing the full Task 2 object, including its `title`, `description`, `due_date`, `priority`, `percent_done`, `project_id`, and other metadata — despite User B having no access to Project-Private.\n\n## Impact\n\n- **Information disclosure**: Any authenticated user can read the full metadata of tasks in projects they do not have access to, as long as a relation exists from a task they can read.\n- **Leaked fields include**: title, description, due dates, start dates, priority, percent completion, project ID, hex color, task index, done status, repeat configuration, cover image attachment ID, and creation/update timestamps.\n- **Project structure disclosure**: The `project_id` field reveals the existence and IDs of private projects.\n- **No user interaction required**: Once a privileged user creates a cross-project relation (which is intentionally allowed), the data leak is automatic for all readers of the base task.\n- **Blast radius**: Affects all Vikunja instances with cross-project task relations. In multi-tenant or team environments where projects have different access scopes, this undermines project-level access control.\n\n## Recommended Fix\n\nFilter related tasks by the requesting user's read permissions before adding them to the response. In `addRelatedTasksToTasks()`, after fetching full task objects, check that the user can read each related task's project:\n\n```go\nfunc addRelatedTasksToTasks(s *xorm.Session, taskIDs []int64, taskMap map[int64]*Task, a web.Auth) (err error) {\n relatedTasks := []*TaskRelation{}\n err = s.In(\"task_id\", taskIDs).Find(&relatedTasks)\n if err != nil {\n return\n }\n\n var relatedTaskIDs []int64\n for _, rt := range relatedTasks {\n relatedTaskIDs = append(relatedTaskIDs, rt.OtherTaskID)\n }\n\n if len(relatedTaskIDs) == 0 {\n return\n }\n\n fullRelatedTasks := make(map[int64]*Task)\n err = s.In(\"id\", relatedTaskIDs).Find(&fullRelatedTasks)\n if err != nil {\n return\n }\n\n // Filter related tasks by user's read permission\n allowedProjectIDs := make(map[int64]bool)\n checkedProjectIDs := make(map[int64]bool)\n for _, t := range fullRelatedTasks {\n if checkedProjectIDs[t.ProjectID] {\n continue\n }\n checkedProjectIDs[t.ProjectID] = true\n p := &Project{ID: t.ProjectID}\n canRead, _, err := p.CanRead(s, a)\n if err != nil {\n log.Errorf(\"Could not check project read permission: %v\", err)\n continue\n }\n if canRead {\n allowedProjectIDs[t.ProjectID] = true\n }\n }\n\n taskFavorites, err := getFavorites(s, relatedTaskIDs, a, FavoriteKindTask)\n if err != nil {\n return err\n }\n\n for _, rt := range relatedTasks {\n task, has := fullRelatedTasks[rt.OtherTaskID]\n if !has {\n continue\n }\n // Skip related tasks the user cannot access\n if !allowedProjectIDs[task.ProjectID] {\n continue\n }\n fullRelatedTasks[rt.OtherTaskID].IsFavorite = taskFavorites[rt.OtherTaskID]\n otherTask := &Task{}\n err = copier.Copy(otherTask, fullRelatedTasks[rt.OtherTaskID])\n if err != nil {\n log.Errorf(\"Could not duplicate task object: %v\", err)\n continue\n }\n otherTask.RelatedTasks = nil\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind] = append(\n taskMap[rt.TaskID].RelatedTasks[rt.RelationKind], otherTask)\n }\n\n return\n}\n```\n\nThis checks project-level read permission once per unique project ID (cached in `allowedProjectIDs`) and skips related tasks from projects the user cannot access.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-8cmm-j6c4-rr8v.json?alt=media" }, { "category": "description", "text": "Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read in code.vikunja.io/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: code.vikunja.io/api before v2.2.1.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4847.json?alt=media" }, { "category": "other", "text": "0.00028", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-863 (Incorrect Authorization)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902472", "CSAFPID-5911160", "CSAFPID-5943812" ] }, "references": [ { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33676.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33676" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-8cmm-j6c4-rr8v" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-8cmm-j6c4-rr8v.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4847.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/pull/2449" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33676" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-8cmm-j6c4-rr8v" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5902472", "CSAFPID-5911160", "CSAFPID-5943812" ] } ], "title": "CVE-2026-33676" } ] }