CVE-2026-33679

6.4 MEDIUM
Published: March 24, 2026 Modified: March 30, 2026
View on NVD

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `DownloadImage` function in `pkg/utils/avatar.go` uses a bare `http.Client{}` with no SSRF protection when downloading user avatar images from the OpenID Connect `picture` claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf
Source: security-advisories@github.com
Patch
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63
Source: security-advisories@github.com
Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
Source: security-advisories@github.com
Release Notes

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.4 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-918

Affected Vendors

vikunja

Related CVEs

CVE-2026-6416 2.7
CVE-2026-6408 2.7
CVE-2026-6392 2.7
CVE-2026-6386 N/A
CVE-2026-5398 N/A