GHSA-564F-WX8X-878H

Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-20 17:25
VLAI?
Summary
Vikunja read-only users can delete project background images via broken object-level authorization
Details

Summary

The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image.

Details

The RemoveProjectBackground handler (pkg/modules/background/handler/background.go) reuses checkProjectBackgroundRights, a helper originally written for the read-only GetProjectBackground endpoint. This helper only verifies CanRead permission. In contrast, the handler for setting a background (setBackgroundPreparations) correctly checks CanUpdate.

As a result, destructive write operations (deleting the background file from storage and clearing the project's background_file_id and background_blur_hash fields) are gated behind a read-only permission check.

Impact

A user with read-only access to a project — via direct sharing, team membership, link share tokens with read permission, or read-scoped API tokens — can permanently delete the project's background image. The background file is removed from storage and cannot be recovered. This constitutes unauthorized data destruction.

Reproduction

  1. User A creates a project and sets a background image.
  2. User A shares the project with User B with read-only permission.
  3. User B sends: DELETE /api/v1/projects/{project_id}/background with a valid auth token.
  4. The request succeeds. The background image is permanently deleted.

References

  • pkg/modules/background/handler/background.goRemoveProjectBackground (line 416), checkProjectBackgroundRights (line 304), setBackgroundPreparations (line 106)
  • pkg/routes/routes.go line 665 — route registration

Credits

This vulnerability was found using GitHub Security Lab Taskflows.

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.20.2"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T17:25:21Z",
    "nvd_published_at": "2026-03-20T15:16:18Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `DELETE /api/v1/projects/:project/background` endpoint checks `CanRead` permission instead of `CanUpdate`, allowing any user with read-only access to a project to permanently delete its background image.\n\n## Details\n\nThe `RemoveProjectBackground` handler (`pkg/modules/background/handler/background.go`) reuses `checkProjectBackgroundRights`, a helper originally written for the read-only `GetProjectBackground` endpoint. This helper only verifies `CanRead` permission. In contrast, the handler for *setting* a background (`setBackgroundPreparations`) correctly checks `CanUpdate`.\n\nAs a result, destructive write operations (deleting the background file from storage and clearing the project\u0027s `background_file_id` and `background_blur_hash` fields) are gated behind a read-only permission check.\n\n## Impact\n\nA user with read-only access to a project \u2014 via direct sharing, team membership, link share tokens with read permission, or read-scoped API tokens \u2014 can permanently delete the project\u0027s background image. The background file is removed from storage and cannot be recovered. This constitutes unauthorized data destruction.\n\n## Reproduction\n\n1. User A creates a project and sets a background image.\n2. User A shares the project with User B with **read-only** permission.\n3. User B sends: `DELETE /api/v1/projects/{project_id}/background` with a valid auth token.\n4. The request succeeds. The background image is permanently deleted.\n\n## References\n\n- `pkg/modules/background/handler/background.go` \u2014 `RemoveProjectBackground` (line 416), `checkProjectBackgroundRights` (line 304), `setBackgroundPreparations` (line 106)\n- `pkg/routes/routes.go` line 665 \u2014 route registration\n\n## Credits\n\nThis vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).",
  "id": "GHSA-564f-wx8x-878h",
  "modified": "2026-03-20T17:25:21Z",
  "published": "2026-03-20T17:25:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-564f-wx8x-878h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33312"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vikunja read-only users can delete project background images via broken object-level authorization"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.