๐Ÿ” CVE Alert

CVE-2026-56765

CRITICAL 9.8

Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.

CWE CWE-639
Vendor vikunja
Product vikunja
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for vikunja vikunja

Be the first to know when new critical vulnerabilities affecting vikunja vikunja are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Vikunja / Vikunja
0 < 2.2.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j vulncheck.com: https://www.vulncheck.com/advisories/vikunja-unauthenticated-instance-wide-data-breach-via-link-share-hash-disclosure-chained-with-cross-project-attachment-idor

Credits

๐Ÿ” offset