Auth bypass in Go-vikunja Vikunja

CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DELETE /api/v1/projects/:project/shares/:share` endpoint does not verify that the link share belongs to the project specified in the URL. An attac…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (15.0th percentile) — read the EPSS interpretation.

Affected products

Go-vikunja Vikunja — versions < 2.2.1

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-f95f-77jx-fcjc (x_refsource_CONFIRM)
https://vikunja.io/changelog/vikunja-v2.2.2-was-released (x_refsource_MISC)