Vikunja is an open-source, self-hosted task management platform that supports link sharing with different permission levels (read, write, admin). In versions prior to 2.2.2, the LinkSharing.ReadAll() method allows any authenticated user possessing a read-only link share to retrieve a list of all link shares associated with a project, including their secret hashes. These secret hashes serve as authentication tokens for the respective link shares. While the system correctly restricts reading individual shares via the ReadOne method by enforcing the CanRead() authorization check, the ReadAllWeb handler fails to invoke this check, effectively bypassing authorization controls. This design flaw enables an attacker with a read-only link share to obtain secret hashes for write and admin shares within the same project. Using these hashes, the attacker can authenticate as a higher-privileged user, escalating their access to full administrative control over the project. The vulnerability is remotely exploitable without any user interaction or prior privileges beyond possessing a read-only link share. The CVSS v3.1 base score is 7.5, reflecting high severity due to the potential for unauthorized access to sensitive project data and administrative functions. The issue was publicly disclosed and patched in Vikunja version 2.2.2, which properly enforces authorization checks in the ReadAllWeb handler to prevent unauthorized enumeration of link shares.

This vulnerability allows attackers with minimal access—a read-only link share—to escalate privileges to write or admin levels within a project. The impact includes unauthorized modification or deletion of tasks, exposure of sensitive project information, and potential disruption of project workflows. For organizations relying on Vikunja for task management, this could lead to data integrity issues, loss of confidentiality, and operational disruption. Since Vikunja is self-hosted, the risk is concentrated in environments where link sharing is enabled and read-only links are distributed. Attackers could leverage this flaw to compromise project management data, potentially affecting decision-making and collaboration. The lack of required user interaction and the ability to exploit remotely increase the threat's severity. Although no known exploits are reported in the wild yet, the vulnerability's nature and ease of exploitation make it a significant risk for affected deployments.

The primary mitigation is to upgrade all Vikunja instances to version 2.2.2 or later, where the authorization bypass in the ReadAllWeb handler is fixed. Until upgrades can be applied, administrators should consider disabling link sharing features or restricting the distribution of read-only link shares to trusted users only. Monitoring access logs for unusual enumeration patterns of link shares can help detect exploitation attempts. Implement network-level access controls to limit exposure of the Vikunja instance to untrusted networks. Additionally, review and audit existing link shares to revoke any unnecessary or suspicious links. Employ strong authentication and logging to detect and respond to unauthorized access quickly. Finally, educate users about the risks of sharing links with broad audiences and encourage minimal privilege sharing.