Vikunja is an open-source, self-hosted task management platform that supports link sharing with different permission levels. In versions prior to 2.2.2, a critical authorization flaw exists in the LinkSharing.ReadAll() method. Specifically, the ReadAllWeb HTTP handler allows authenticated users possessing a read-only link share to retrieve a list of all link shares associated with a project, including secret hashes for shares with write or admin privileges. Although the system correctly restricts reading individual shares via the ReadOne method using the CanRead() authorization check, the ReadAllWeb handler does not invoke this check, effectively bypassing it. This design flaw enables an attacker to obtain secret hashes of higher privilege shares and use them to authenticate as a write or admin user, thereby escalating their privileges to full administrative control over the project. The vulnerability does not require prior authentication beyond possessing a read-only link share and does not require user interaction, making exploitation straightforward. The vulnerability is tracked as CWE-285 (Improper Authorization) and has a CVSS 3.1 base score of 7.5, reflecting high severity. The issue was publicly disclosed on March 24, 2026, and fixed in Vikunja version 2.2.2. No known exploits in the wild have been reported yet.

This vulnerability allows attackers with minimal access—a read-only link share—to escalate their privileges to full admin rights on a project. The impact is significant for organizations using Vikunja versions prior to 2.2.2, as attackers can gain unauthorized access to sensitive project data, modify tasks, change configurations, or delete content, potentially disrupting project workflows and compromising confidentiality. Since Vikunja is self-hosted, the risk is concentrated on organizations that deploy it internally or expose it externally. The exposure of secret hashes undermines the security model of link sharing, enabling lateral privilege escalation within the same project. Although availability and integrity impacts are indirect, the ability to gain admin access can lead to data tampering or denial of service through administrative actions. The vulnerability's ease of exploitation and lack of required user interaction increase the risk of rapid compromise once discovered.

Organizations should immediately upgrade Vikunja to version 2.2.2 or later, where the authorization bypass in the ReadAllWeb handler is patched. Until upgrading, administrators should restrict access to link shares, especially read-only links, and monitor usage for suspicious activity. Implement network-level controls to limit access to the Vikunja instance to trusted users and networks. Review and audit existing link shares for unnecessary privileges and revoke any that are not essential. Consider disabling link sharing temporarily if feasible. Additionally, implement logging and alerting on access to link shares and administrative actions to detect potential exploitation attempts. Educate users about the risks of sharing links broadly. Finally, maintain regular backups of project data to recover from potential compromise.