CVE-2026-33313

UNKNOWN 0.0

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Version 2.2.0 fixes the issue.

CWE	CWE-639
Vendor	go-vikunja
Product	vikunja
Published	Mar 24, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for go-vikunja vikunja

Be the first to know when new unknown vulnerabilities affecting go-vikunja vikunja are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

go-vikunja / vikunja

< 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4 github.com: https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd vikunja.io: https://vikunja.io/changelog/vikunja-v2.2.0-was-released