Vikunja is an open-source, self-hosted task management platform that allows users to manage tasks across multiple projects. In versions prior to 2.2.1, the API endpoint responsible for returning task data includes a 'related_tasks' field. This field is populated with full task objects representing tasks related to the requested task, regardless of the requesting user's permissions on those related tasks' projects. Specifically, the API does not verify whether the user has read access to the projects containing these related tasks. As a result, an authenticated user who can read a task with cross-project relations can obtain detailed information about tasks in projects they are unauthorized to access. The leaked data includes sensitive metadata such as task titles, descriptions, due dates, priority levels, percent completion, and project identifiers. This constitutes an incorrect authorization vulnerability classified under CWE-863 (Incorrect Authorization). The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity level. The attack vector is network-based, requiring low attack complexity and privileges (authenticated user), with no user interaction needed. The impact is primarily on confidentiality, as task data is exposed without integrity or availability being affected. The issue was addressed in Vikunja version 2.2.1 by adding proper authorization checks before including related task details in API responses.

The primary impact of CVE-2026-33676 is unauthorized disclosure of sensitive task information across project boundaries within Vikunja deployments. Organizations using affected versions risk leaking confidential project details such as task descriptions, deadlines, priorities, and progress metrics to unauthorized users who have limited access rights. This can lead to information exposure that may compromise project confidentiality, competitive advantage, or privacy. While the vulnerability does not allow modification or deletion of data, the unauthorized visibility of sensitive task information can facilitate social engineering, insider threats, or competitive intelligence gathering. Since Vikunja is often used for internal task and project management, the exposure of cross-project task details could undermine trust in the platform and violate data protection policies. The vulnerability affects all organizations running Vikunja versions prior to 2.2.1, especially those with multi-project environments and users with varying access levels. No known exploits are reported in the wild yet, but the ease of exploitation by any authenticated user with read access to at least one task makes timely remediation important.

Organizations should upgrade all Vikunja instances to version 2.2.1 or later, where the authorization checks for related tasks have been properly implemented. Until upgrading is possible, administrators can mitigate risk by restricting task read permissions to trusted users only and minimizing cross-project task relations that could expose sensitive data. Reviewing and tightening project and task access controls can reduce the attack surface. Monitoring API access logs for unusual patterns of task retrieval may help detect attempts to exploit this vulnerability. Additionally, organizations should educate users about the sensitivity of task data and enforce the principle of least privilege for task access. If custom integrations or API clients are used, they should be reviewed to ensure they do not inadvertently expose related task data. Finally, applying network-level protections such as VPNs or IP whitelisting can limit access to the Vikunja API to authorized personnel only.