CVE-2026-33700

UNKNOWN 0.0

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID. Version 2.2.1 patches the issue.

CWE	CWE-639
Vendor	go-vikunja
Product	vikunja
Published	Mar 24, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for go-vikunja vikunja

Be the first to know when new unknown vulnerabilities affecting go-vikunja vikunja are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

go-vikunja / vikunja

< 2.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-f95f-77jx-fcjc vikunja.io: https://vikunja.io/changelog/vikunja-v2.2.2-was-released