CVE-2026-33313 is an authorization bypass vulnerability identified in the go-vikunja Vikunja task management platform, specifically affecting versions prior to 2.2.0. Vikunja is an open-source, self-hosted platform used for managing tasks and associated comments. The vulnerability stems from improper authorization checks (classified under CWE-639: Authorization Bypass Through User-Controlled Key) in the API endpoint responsible for retrieving task comments. An authenticated user can exploit this flaw by substituting the task ID in the API URL with a task ID they have access to, thereby tricking the system into returning comments from any task, including those they should not access. This bypass allows unauthorized reading of task comments, compromising confidentiality. The vulnerability does not require elevated privileges beyond authentication, nor does it require user interaction, making it relatively straightforward to exploit for authenticated users. The CVSS 4.0 base score is 5.3, reflecting a medium severity level due to the limited scope (only comments exposure) and the requirement for authentication. The issue was publicly disclosed on March 24, 2026, and fixed in Vikunja version 2.2.0. No known exploits have been reported in the wild to date. This vulnerability highlights the importance of strict authorization checks on user-controlled parameters in API endpoints, especially in collaborative platforms where sensitive information may be stored in comments.

The primary impact of CVE-2026-33313 is unauthorized disclosure of task comments, which may contain sensitive project details, internal communications, or confidential information. This breach of confidentiality can lead to information leakage within organizations using Vikunja for task management. While the vulnerability does not allow modification or deletion of data, the exposure of comments could facilitate social engineering, corporate espionage, or undermine trust in the platform. Organizations relying on Vikunja for managing sensitive or proprietary tasks are particularly at risk. Since exploitation requires authentication, the threat is limited to insiders or compromised user accounts, but this still represents a significant risk in environments with many users or weak credential management. The vulnerability could also affect compliance with data protection regulations if sensitive information is exposed. The absence of known exploits in the wild reduces immediate risk, but the public disclosure and medium severity score warrant prompt remediation to prevent potential abuse.

To mitigate CVE-2026-33313, organizations should upgrade all Vikunja instances to version 2.2.0 or later, where the authorization bypass has been fixed. If immediate upgrading is not feasible, administrators should implement strict access control checks on API endpoints handling task comments, ensuring that the task ID parameter is validated against the authenticated user's permissions before returning data. Additionally, monitoring access logs for unusual patterns of task comment retrieval can help detect exploitation attempts. Employing strong authentication mechanisms and enforcing least privilege principles reduces the risk of compromised accounts being used to exploit this vulnerability. Regularly auditing user permissions and restricting access to sensitive tasks can further limit exposure. Finally, organizations should stay informed about updates from the Vikunja project and apply security patches promptly to address newly discovered vulnerabilities.