{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33679", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T16:34:59.931Z", "datePublished": "2026-03-24T15:46:10.417Z", "dateUpdated": "2026-03-24T17:34:14.519Z"}, "containers": {"cna": {"title": "Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63"}, {"name": "https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:46:10.417Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue."}], "source": {"advisory": "GHSA-g9xj-752q-xh63", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:33:25.887211Z", "id": "CVE-2026-33679", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:34:14.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33679", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T17:33:25.887211Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:34:06.154Z"}}], "cna": {"title": "Vikunja has SSRF via OpenID Connect Avatar Download that Bypasses Webhook SSRF Protections", "source": {"advisory": "GHSA-g9xj-752q-xh63", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.2.1"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf", "name": "https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf", "tags": ["x_refsource_MISC"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T15:46:10.417Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33679", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:34:14.519Z", "dateReserved": "2026-03-23T16:34:59.931Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T15:46:10.417Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "E8647862-9C78-473D-9FED-7AFC24335A61", "versionEndExcluding": "2.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.1, la funci\u00f3n `DownloadImage` en `pkg/utils/avatar.go` utiliza un `http.Client{}` b\u00e1sico sin protecci\u00f3n SSRF al descargar im\u00e1genes de avatar de usuario de la URL de la declaraci\u00f3n 'picture' de OpenID Connect. Un atacante que controla la URL de la imagen de perfil de su OIDC puede forzar al servidor Vikunja a realizar solicitudes GET HTTP a puntos finales de metadatos internos o en la nube arbitrarios. Esto elude las protecciones SSRF que se aplican correctamente al sistema de webhooks. La versi\u00f3n 2.2.1 corrige el problema."}], "id": "CVE-2026-33679", "lastModified": "2026-03-30T13:56:01.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T16:16:35.420", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-30T15:22:32.309839+00:00", "value": {"mitigation_remediation": ["Upgrade the Vikunja installation to version 2.2.1 or later.", "If an upgrade cannot be performed immediately, enforce restrictions on the OpenID Connect provider so that the picture claim cannot point to external hosts, or disable avatar fetching if the application offers such a setting.", "Monitor outbound HTTP traffic from the Vikunja server for unexpected internal requests and investigate any anomalies.", "Ensure the existing webhook SSRF protections remain active and correctly configured."], "summary": {"action": "PatchImmediately", "impact": "Server\u2013Side Request Forgery via avatar download"}, "threat_synthesis": {"affected_systems": "The issue affects the Vikunja self\u2011hosted task management platform, specifically versions prior to 2.2.1. The product is provided by the vendor go\u2011vikunja under the name Vikunja. All installations that use an OpenID Connect authentication flow for user accounts are potentially impacted, as the avatar download is triggered automatically based on the picture claim.", "description_and_impact": "The vulnerable code path would download a user\u2019s avatar image from the URL stored in the OpenID Connect profile picture claim without applying any SSRF safeguards. An attacker who can control that URL can coerce the Vikunja server into sending HTTP requests to any internal or cloud\u2013metadata endpoint, revealing sensitive internal data or enabling further lateral movement. The flaw is a classic SSRF vulnerability (CWE\u2013918) that bypasses protections already enforced for the webhook feature.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity, while the EPSS score of less than 1\u202f% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to register or control an OpenID Connect identity where the picture URL can be set to a malicious endpoint, from which the server will issue the outbound request. Once triggered, the server could reach internal addresses or cloud\u2011metadata services, but the ability to read or modify data depends on the internal environment and access controls."}}}}, "created": "2026-03-25T11:47:06.673412+00:00", "updated": "2026-03-30T20:58:06.859154+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}