Description
Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches attachments by sequential ID without verifying ownership, allowing attackers to download and delete all file attachments across all projects instance-wide.
Problem types
Authorization Bypass Through User-Controlled Key
Product status
Any version before 2.2.1
2.2.1 (semver)
Credits
offset
References
github.com/...ikunja/security/advisories/GHSA-2pv8-4c52-mf8j
github.com/...ikunja/security/advisories/GHSA-2pv8-4c52-mf8j (GitHub Security Advisory (GHSA-2pv8-4c52-mf8j))
www.vulncheck.com/...ined-with-cross-project-attachment-idor (VulnCheck Advisory: Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR)