Vikunja, an open-source self-hosted task management platform, suffered from an authorization bypass vulnerability identified as CVE-2026-33678 (CWE-639). In versions prior to 2.2.1, the function TaskAttachment.ReadOne() retrieves attachments solely by their ID using a database query filtering on 'WHERE id = ?', ignoring the task ID parameter passed in the URL path. Although the permission check CanRead() validates access rights against the task ID from the URL, the actual attachment loaded may belong to a different task or project. This discrepancy allows any authenticated user to supply their own accessible task ID combined with an arbitrary attachment ID, thereby bypassing authorization checks and accessing attachments from other projects. Because attachment IDs are sequential integers, an attacker can easily enumerate attachment IDs to find and download or delete attachments they are unauthorized to access. The vulnerability affects confidentiality and integrity of data but does not impact availability. The flaw was fixed in version 2.2.1 by ensuring the attachment retrieval respects the task context and enforces proper authorization. No known exploits are reported in the wild as of publication, but the low complexity and high impact make it a significant risk for users of vulnerable versions.

This vulnerability allows authenticated users to bypass authorization controls and access or delete attachments belonging to other users or projects. The impact includes unauthorized disclosure of sensitive or confidential information contained in attachments, potentially leading to data leaks or privacy violations. Additionally, attackers can delete attachments, causing data loss and disrupting project workflows. Since attachments may contain critical documents or proprietary information, this breach can harm organizational confidentiality and integrity. The vulnerability does not affect system availability directly but can undermine trust in the platform. Organizations using vulnerable versions of Vikunja face increased risk of insider threats or lateral movement attacks by malicious or compromised users. The ease of exploitation and trivial enumeration of attachment IDs exacerbate the threat, making it a high-risk vulnerability for any deployment with multiple users or projects.

The primary mitigation is to upgrade Vikunja to version 2.2.1 or later, where the vulnerability is patched by enforcing proper authorization checks that bind attachment access to the correct task context. Until upgrading, organizations should restrict access to the Vikunja instance to trusted users only and monitor attachment access logs for suspicious activity, such as unusual attachment ID requests or deletion patterns. Implement network-level access controls to limit exposure of the platform to internal or VPN-only access. Additionally, review and harden application-level permissions and consider implementing rate limiting or anomaly detection to prevent enumeration of attachment IDs. Regularly audit user permissions and attachment ownership to detect inconsistencies. Finally, educate users about the risk of sharing authentication credentials, as exploitation requires authenticated access.