Auth bypass in Go-vikunja Vikunja

CVE-2026-33312

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing…

Vulnerability class: Broken Access Control

EPSS: 0.001 (17.8th percentile) — read the EPSS interpretation.

Affected products

Go-vikunja Vikunja — versions >= 0.20.2, < 2.2.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-564f-wx8x-878h (x_refsource_CONFIRM)
https://vikunja.io/changelog/vikunja-v2.2.0-was-released (x_refsource_MISC)