CVE-2026-33679 is a medium-severity SSRF vulnerability affecting go-vikunja vikunja versions before 2.2.1. Vikunja is an open-source, self-hosted task management platform that supports OpenID Connect (OIDC) for authentication. The vulnerability resides in the DownloadImage function within pkg/utils/avatar.go, which downloads user avatar images from URLs specified in the OIDC picture claim. This function uses a bare http.Client{} without any SSRF protections such as URL validation, allowlists, or network restrictions. Consequently, an attacker who can control their OIDC profile picture URL can cause the Vikunja server to make arbitrary HTTP GET requests to internal network resources or cloud provider metadata endpoints. This bypasses the SSRF protections correctly implemented in other parts of the application, such as the webhook system. The vulnerability can be exploited remotely with low privileges and no user interaction, making it relatively easy to trigger. The impact primarily affects confidentiality, as attackers may retrieve sensitive internal data or cloud metadata, and availability, if internal services are overwhelmed or manipulated. Integrity impact is minimal as the vulnerability does not allow modification of data. The issue was patched in version 2.2.1 by presumably adding SSRF protections or validating URLs before fetching images. No known exploits are reported in the wild as of the publication date. The vulnerability is tracked under CWE-918 (Server-Side Request Forgery).

The primary impact of CVE-2026-33679 is unauthorized internal network reconnaissance and potential leakage of sensitive metadata from cloud environments. Attackers exploiting this SSRF can access internal services that are not exposed externally, such as cloud instance metadata endpoints, which may contain credentials or configuration data. This can lead to further compromise of cloud resources or lateral movement within an organization's network. The vulnerability can also cause partial denial of service if internal services are overwhelmed by crafted requests. Since the vulnerability requires only low privileges and no user interaction, it poses a moderate risk to organizations running vulnerable versions of Vikunja, especially those deployed in cloud or hybrid environments. However, the impact on data integrity is low, and the overall severity is medium due to limited scope and exploit complexity. Organizations with sensitive internal services accessible only via internal networks are at higher risk.

1. Upgrade all Vikunja instances to version 2.2.1 or later, where the vulnerability is patched. 2. Implement strict validation and sanitization of URLs obtained from untrusted sources such as OIDC claims before making HTTP requests. Use allowlists to restrict requests to trusted domains only. 3. Employ network segmentation and firewall rules to prevent application servers from accessing sensitive internal or cloud metadata endpoints. 4. Use SSRF protection libraries or middleware that enforce safe HTTP client usage and prevent requests to private IP ranges or known metadata IPs. 5. Monitor application logs for unusual outbound HTTP requests, especially to internal IP ranges or cloud metadata URLs. 6. Review and restrict OIDC provider configurations to limit the ability of users to specify arbitrary picture URLs. 7. Conduct regular security assessments and penetration tests focusing on SSRF and related vulnerabilities in web applications.