{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-10T17:53:17.659","vulnerabilities":[{"cve":{"id":"CVE-2026-33677","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T16:16:35.113","lastModified":"2026-03-27T16:29:43.947","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the `GET /api/v1/projects/:project/webhooks` endpoint returns webhook BasicAuth credentials (`basic_auth_user` and `basic_auth_password`) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC `secret` field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers. Version 2.2.1 patches the issue."},{"lang":"es","value":"Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. Antes de la versión 2.2.1, el endpoint 'GET /API/v1/projects/:project/webhooks' devuelve las credenciales BasicAuth del webhook ('basic_auth_user' y 'basic_auth_password') en texto plano a cualquier usuario con acceso de lectura al proyecto. Si bien el código existente enmascara correctamente el campo 'secret' de HMAC, los campos BasicAuth añadidos en una migración posterior no recibieron el mismo tratamiento. Esto permite a los colaboradores de solo lectura robar credenciales destinadas a la autenticación contra receptores de webhook externos. La versión 2.2.1 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*","versionEndExcluding":"2.2.1","matchCriteriaId":"E8647862-9C78-473D-9FED-7AFC24335A61"}]}]}],"references":[{"url":"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-7c2g-p23p-4jg3","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://vikunja.io/changelog/vikunja-v2.2.2-was-released","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}