Overview
A critical authorization bypass vulnerability has been identified in Vikunja, a popular open-source task management platform, affecting all versions prior to 2.2.1. The flaw carries a CVSS score of 9.8 (Critical) and allows authenticated users with read-level access to escalate privileges to admin-level share permissions.
Vulnerability Details
The vulnerability stems from two distinct but related authorization failures in the Vikunja API:
1. LinkSharing.ReadAll Endpoint — Share Hash Exposure
The LinkSharing.ReadAll endpoint returns share hashes to any user with read access to a resource. In Vikunja's sharing model, these hashes act as bearer tokens granting the level of access they were created with — including admin-level shares. A malicious read-only user can harvest admin share hashes and use them to perform unauthorized privileged operations.
2. GetTaskAttachment Endpoint — Improper Permission Validation
The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs rather than the actual task ID associated with the attachment. An attacker can supply an arbitrary task ID that they have permission to access, bypassing access controls on attachments belonging to unrelated, restricted tasks.
Impact
- Permission escalation: Read-only collaborators can gain admin-level share access
- Unauthorized data access: Users can retrieve file attachments from tasks they have no legitimate access to
- Potential data exfiltration: Both flaws can be combined to access sensitive project data and files across team workspaces
Affected Versions
All Vikunja releases before version 2.2.1 are vulnerable.
Remediation
Update Vikunja to version 2.2.1 or later immediately. The patched release addresses both the LinkSharing.ReadAll hash exposure and the GetTaskAttachment permission validation bypass.
# Docker users — pull the updated image
docker pull vikunja/vikunja:2.2.1
docker compose up -dIf immediate patching is not possible, consider:
- Restricting Vikunja to trusted internal networks only
- Removing all external link shares until patched
- Auditing existing share permissions for unauthorized escalation