Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33676

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 month ago Activity log

Created suggestion 1 month ago

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the `related_tasks` field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to. Version 2.2.1 patches the issue.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8cmm-j6c4-rr8v exploitx_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2449 x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/833f2aec006ac0f6643c41872e45dd79220b9174 x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.2.2-was-released x_refsource_MISC

Affected products

vikunja

==< 2.2.1

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0
nixos-25.11 2.2.0
- nixos-25.11-small 2.2.0
- nixpkgs-25.11-darwin 2.2.0

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.2.0

Package maintainers