Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1842+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-56765: Vikunja Authorization Bypass Enables Permission Escalation
CVE-2026-56765: Vikunja Authorization Bypass Enables Permission Escalation

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-56765

CVE-2026-56765: Vikunja Authorization Bypass Enables Permission Escalation

A critical authorization flaw in Vikunja task manager (CVSS 9.8) exposes share hashes via LinkSharing.ReadAll and allows task attachment access through improper permission checks. Update to 2.2.1 immediately.

Dylan H.

Security Team

July 11, 2026
2 min read

Affected Products

  • Vikunja < 2.2.1

Overview

A critical authorization bypass vulnerability has been identified in Vikunja, a popular open-source task management platform, affecting all versions prior to 2.2.1. The flaw carries a CVSS score of 9.8 (Critical) and allows authenticated users with read-level access to escalate privileges to admin-level share permissions.

Vulnerability Details

The vulnerability stems from two distinct but related authorization failures in the Vikunja API:

1. LinkSharing.ReadAll Endpoint — Share Hash Exposure

The LinkSharing.ReadAll endpoint returns share hashes to any user with read access to a resource. In Vikunja's sharing model, these hashes act as bearer tokens granting the level of access they were created with — including admin-level shares. A malicious read-only user can harvest admin share hashes and use them to perform unauthorized privileged operations.

2. GetTaskAttachment Endpoint — Improper Permission Validation

The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs rather than the actual task ID associated with the attachment. An attacker can supply an arbitrary task ID that they have permission to access, bypassing access controls on attachments belonging to unrelated, restricted tasks.

Impact

  • Permission escalation: Read-only collaborators can gain admin-level share access
  • Unauthorized data access: Users can retrieve file attachments from tasks they have no legitimate access to
  • Potential data exfiltration: Both flaws can be combined to access sensitive project data and files across team workspaces

Affected Versions

All Vikunja releases before version 2.2.1 are vulnerable.

Remediation

Update Vikunja to version 2.2.1 or later immediately. The patched release addresses both the LinkSharing.ReadAll hash exposure and the GetTaskAttachment permission validation bypass.

# Docker users — pull the updated image
docker pull vikunja/vikunja:2.2.1
docker compose up -d

If immediate patching is not possible, consider:

  • Restricting Vikunja to trusted internal networks only
  • Removing all external link shares until patched
  • Auditing existing share permissions for unauthorized escalation

References

  • NVD — CVE-2026-56765
  • Vikunja Official Site
#CVE#Vulnerability#Authorization#Vikunja#Task Management

Related Articles

CVE-2026-48939: iCagenda Unrestricted File Upload Allows PHP Code Execution

A critical unrestricted file upload vulnerability in the iCagenda Joomla event calendar plugin allows unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. Added to CISA KEV on July 10, 2026.

3 min read

CVE-2026-59792: JetBrains IntelliJ IDEA Remote Code Execution via Path Traversal

A critical RCE vulnerability (CVSS 9.6) in JetBrains IntelliJ IDEA before 2026.1.4 allows code execution through path traversal in project workspace ID handling. Patch immediately to 2026.1.4 or 2026.2.

3 min read

CVE-2026-56291: Balbooa Forms Unrestricted File Upload Enables Full RCE

A critical unauthenticated file upload vulnerability in Balbooa Forms for Joomla allows attackers to upload executable files and achieve full remote code execution on affected sites.

3 min read
Back to all Security Alerts