Auth bypass in Go-vikunja Vikunja

CVE-2026-33313

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the t…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (2.2th percentile) — read the EPSS interpretation.

Affected products

Go-vikunja Vikunja — versions < 2.2.0

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-mr3j-p26x-72x4 (x_refsource_CONFIRM)
https://github.com/go-vikunja/vikunja/commit/bc6d843ed4df82a6c89f10aa676a7a33d27bf2fd (x_refsource_MISC)
https://vikunja.io/changelog/vikunja-v2.2.0-was-released (x_refsource_MISC)