CVE-2026-33675 is a Server-Side Request Forgery (SSRF) vulnerability identified in the open-source self-hosted task management platform Vikunja, specifically in versions prior to 2.2.1. The root cause lies in the migration helper functions DownloadFile and DownloadFileWithHeaders located in pkg/modules/migration/helpers.go, which perform HTTP GET requests without any validation or SSRF protections. During migrations from third-party services like Todoist or Trello, file attachment URLs obtained from their API responses are passed directly to these functions. This design flaw allows an attacker to supply crafted URLs that cause the Vikunja server to make arbitrary HTTP requests to internal network resources or other unintended destinations. The server then returns the fetched content as downloadable task attachments, potentially leaking sensitive internal information or enabling further attacks within the internal network. The vulnerability requires low privileges (PR:L) but no user interaction (UI:N), and it affects confidentiality (partial data disclosure) and availability (potentially causing resource exhaustion or denial of service). The vulnerability has a CVSS 3.1 base score of 6.4, categorized as medium severity. No known exploits have been reported in the wild as of the publication date. The issue is resolved in Vikunja version 2.2.1, which implements proper SSRF protections and input validation to prevent arbitrary HTTP requests. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery).

The SSRF vulnerability in Vikunja can have significant impacts on organizations running vulnerable versions, especially those self-hosting the platform in environments with sensitive internal networks. Attackers can exploit this flaw to make the Vikunja server perform unauthorized HTTP requests to internal services that are otherwise inaccessible externally. This can lead to unauthorized disclosure of sensitive internal data, such as configuration files, metadata, or internal APIs. Additionally, attackers might leverage SSRF to interact with internal services to escalate privileges, pivot within the network, or cause denial of service by exhausting server resources. Since the vulnerability affects confidentiality and availability, organizations risk data leakage and service disruption. The requirement of low privileges means that any authenticated user with migration capabilities can potentially exploit this, increasing the attack surface. Although no exploits are currently known in the wild, the presence of this vulnerability in a popular open-source platform used globally means that attackers may develop exploits, increasing risk over time. Organizations with critical internal infrastructure accessible from the Vikunja server are particularly at risk.

To mitigate CVE-2026-33675, organizations should immediately upgrade Vikunja to version 2.2.1 or later, where the vulnerability is patched with proper SSRF protections and input validation. Until upgrading is possible, administrators should restrict the Vikunja server's outbound network access using firewall rules or network segmentation to prevent it from reaching sensitive internal resources. Implement strict allowlists for outbound HTTP requests originating from the Vikunja server, limiting them to trusted external domains only. Review and restrict user permissions to ensure only trusted users can perform migrations involving external URLs. Monitor logs for unusual migration activity or unexpected outbound HTTP requests. Additionally, consider deploying web application firewalls (WAFs) with SSRF detection capabilities to detect and block suspicious requests. Regularly audit and update all dependencies and monitor for new vulnerabilities in the Vikunja platform. Finally, educate users about the risks of importing data from untrusted sources during migrations.