CVE-2026-33312 is an authorization vulnerability classified under CWE-863 (Incorrect Authorization) in the Vikunja task management platform. The vulnerability arises because the DELETE /api/v1/projects/:project/background endpoint incorrectly validates user permissions by checking if the user has read access (CanRead) rather than update access (CanUpdate). This logic flaw allows any user with read-only access to a project to delete the project's background image, an action that should be restricted to users with update privileges. The affected versions range from 0.20.2 up to but not including 2.2.0, with the issue resolved in version 2.2.0. The vulnerability does not require elevated privileges beyond read access, nor does it require user interaction, making it relatively easy to exploit in environments where read access is granted. The impact is confined to the deletion of background images, which, while not critical to project data integrity or availability, can degrade user experience and project presentation. No known exploits have been reported in the wild, and no patch links are provided in the source data, but upgrading to version 2.2.0 is the recommended remediation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond read access, no user interaction, and limited impact on integrity (low) and no impact on confidentiality or availability.

The primary impact of this vulnerability is the unauthorized deletion of project background images by users who only have read access. While this does not compromise the confidentiality, integrity, or availability of core project data or the system itself, it can negatively affect the user experience and visual presentation of projects. In collaborative environments, this could lead to confusion or dissatisfaction among users, especially if background images are used for branding or organizational purposes. Since the vulnerability requires only read access, any user with such permissions can exploit it, potentially increasing the risk in environments with many read-only users. However, the scope of damage is limited and does not extend to critical data or system compromise. There are no known exploits in the wild, which reduces immediate risk, but the vulnerability should still be addressed to maintain proper authorization controls and prevent misuse.

Organizations using Vikunja versions between 0.20.2 and 2.2.0 should upgrade to version 2.2.0 or later, where the authorization check has been corrected to require update permissions for deleting project background images. Until upgrading is possible, administrators should restrict read access to trusted users only, minimizing the risk of unauthorized deletions. Additionally, monitoring API usage logs for unusual DELETE requests to the /api/v1/projects/:project/background endpoint can help detect potential exploitation attempts. Implementing access control reviews and audits to ensure that users have appropriate permissions aligned with their roles will further reduce risk. If custom deployments exist, consider applying a temporary patch or modifying the authorization logic to enforce CanUpdate checks on the affected endpoint. Finally, educating users about the importance of permission management and monitoring changes to project assets can help maintain operational integrity.