{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vikunja-before-2.2.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-56765"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vikunja (before 2.2.1)"],"_cs_severities":["critical"],"_cs_tags":["authorization-bypass","idor","data-exfiltration","data-destruction","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["Vikunja"],"content_html":"\u003cp\u003eCVE-2026-56765 details two critical authorization flaws affecting Vikunja versions prior to 2.2.1. The first vulnerability resides in the \u003ccode\u003eLinkSharing.ReadAll\u003c/code\u003e API endpoint, which inadvertently exposes sensitive share hashes to any authenticated user possessing read access. This exposure allows an attacker to obtain hashes for admin-level shares, facilitating a privilege escalation to gain unauthorized access to administrative functions or content. The second flaw is an Insecure Direct Object Reference (IDOR) found in the \u003ccode\u003eGetTaskAttachment\u003c/code\u003e endpoint. While this endpoint performs initial permission checks based on user-supplied task IDs, it subsequently fetches attachments by sequential ID without proper ownership verification. This oversight enables an attacker to bypass access controls, leading to the unauthorized download and deletion of all file attachments across every project within the Vikunja instance, resulting in severe data breach and data loss risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, with at least read access to the Vikunja instance, sends a request to the \u003ccode\u003eLinkSharing.ReadAll\u003c/code\u003e API endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eLinkSharing.ReadAll\u003c/code\u003e endpoint responds by exposing sensitive share hashes, including those associated with admin-level shares, to the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the obtained admin-level share hashes to bypass intended access controls and escalate their privileges to gain unauthorized access to administrative functions or content.\u003c/li\u003e\n\u003cli\u003e(Potentially independently or chained) The attacker sends requests to the \u003ccode\u003eGetTaskAttachment\u003c/code\u003e endpoint, supplying arbitrary task IDs.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eGetTaskAttachment\u003c/code\u003e endpoint performs permission checks against the \u003cem\u003esupplied\u003c/em\u003e task ID but then fetches attachments by \u003cem\u003esequential ID\u003c/em\u003e from the backend data store.\u003c/li\u003e\n\u003cli\u003eThe endpoint fails to verify ownership or authorization for the attachments retrieved by sequential ID, allowing the attacker to bypass access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker iterates through sequential attachment IDs, downloading all file attachments across all projects throughout the entire Vikunja instance, leading to data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker can also leverage the same IDOR to send delete requests for these sequential attachment IDs, resulting in the deletion of all file attachments across all projects instance-wide.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-56765 leads to critical security consequences impacting the entire Vikunja instance. Attackers can escalate their privileges to administrative levels, gaining unauthorized control over the platform's features and data. More significantly, the IDOR vulnerability allows for an instance-wide data breach, enabling attackers to download all user-uploaded file attachments from every project. This could expose sensitive business documents, personal information, or proprietary data. Furthermore, the ability to delete all file attachments across all projects poses a severe data destruction risk, potentially leading to irreversible data loss and significant operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Vikunja installations to version 2.2.1 or later immediately to remediate CVE-2026-56765.\u003c/li\u003e\n\u003cli\u003eReview access logs for the \u003ccode\u003eLinkSharing.ReadAll\u003c/code\u003e and \u003ccode\u003eGetTaskAttachment\u003c/code\u003e endpoints for suspicious or excessive access patterns.\u003c/li\u003e\n\u003cli\u003eImplement API gateway logging to capture full HTTP request and response bodies for deeper analysis of unexpected data exposure or IDOR attempts on \u003ccode\u003eCVE-2026-56765\u003c/code\u003e related endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T15:18:05Z","date_published":"2026-07-10T15:18:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-vikunja-auth-idor/","summary":"Authorization flaws in Vikunja before version 2.2.1 allow authenticated users with read access to escalate privileges by obtaining admin-level share hashes via the LinkSharing.ReadAll endpoint, and also permit instance-wide data exfiltration and destruction by manipulating task attachments through an Insecure Direct Object Reference (IDOR) vulnerability in the GetTaskAttachment endpoint.","title":"Authorization Flaws in Vikunja Expose Share Hashes and Allow Attachment Manipulation","url":"https://feed.craftedsignal.io/briefs/2026-07-vikunja-auth-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Vikunja (Before 2.2.1)","version":"https://jsonfeed.org/version/1.1"}