GHSA-pg6g-jf8c-49p7CriticalCVSS 9.8
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint...
🔗 CVE IDs covered (1)
📋 Description
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.
🔗 References (4)
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j
- https://nvd.nist.gov/vuln/detail/CVE-2026-56765
- https://www.vulncheck.com/advisories/vikunja-unauthenticated-instance-wide-data-breach-via-link-share-hash-disclosure-chained-with-cross-project-attachment-idor
- https://github.com/advisories/GHSA-pg6g-jf8c-49p7