CVE-2026-33312 is an authorization vulnerability classified under CWE-863 (Incorrect Authorization) in the Vikunja task management platform, specifically in versions >= 0.20.2 and < 2.2.0. The vulnerability exists in the DELETE /api/v1/projects/:project/background API endpoint, which is designed to delete the background image of a project. Instead of verifying that the user has update permissions (CanUpdate) on the project, the endpoint erroneously checks only for read permissions (CanRead). Consequently, any user granted read-only access to a project can exploit this flaw to delete the project's background image permanently, despite lacking update privileges. This improper authorization check violates the principle of least privilege and could be leveraged to disrupt project aesthetics or cause minor denial of service. The vulnerability does not require elevated privileges beyond read access, nor does it require user interaction, making it easier to exploit in environments where read access is widely granted. The vulnerability was publicly disclosed on March 20, 2026, with a CVSS v4.0 base score of 5.3 (medium severity), reflecting its moderate impact and ease of exploitation. The issue has been resolved in Vikunja version 2.2.0, which correctly enforces CanUpdate permission on the affected endpoint.

The primary impact of CVE-2026-33312 is the unauthorized deletion of project background images by users with read-only access. While this does not compromise sensitive data confidentiality or integrity of core project information, it can degrade user experience and trust in the platform by allowing unauthorized modification of project appearance. In collaborative environments, this could lead to confusion or disruption of workflows, especially if background images are used for visual cues or branding. The vulnerability does not enable deletion of project data or tasks, limiting its scope. However, the improper authorization check signals potential weaknesses in access control implementation that could be symptomatic of broader security issues if similar patterns exist elsewhere. Organizations relying on Vikunja for task management should consider the reputational and operational risks of such unauthorized actions, particularly in environments with many users having read-only access. Since the vulnerability is exploitable remotely without authentication beyond read access, it increases the attack surface in multi-tenant or shared deployments.

To mitigate CVE-2026-33312, organizations should upgrade Vikunja installations to version 2.2.0 or later, where the authorization check on the DELETE /api/v1/projects/:project/background endpoint is corrected to require CanUpdate permissions. Until upgrading is possible, administrators can implement the following specific measures: 1) Restrict read-only access strictly to trusted users to minimize risk of exploitation. 2) Monitor API usage logs for suspicious DELETE requests targeting project backgrounds from users with read-only roles. 3) If feasible, disable or restrict the background image feature temporarily to prevent unauthorized deletions. 4) Conduct a thorough review of other API endpoints and permission checks to identify and remediate similar authorization weaknesses. 5) Educate users about the vulnerability and encourage reporting of unexpected changes to project backgrounds. These targeted actions complement general best practices by focusing on the specific flawed endpoint and permission model involved.