CVE-2026-33679

CVE-2026-33679 is a medium-severity server-side request forgery (SSRF) vulnerability in code.vikunja.io/api (go), affecting versions <= 2.2.0. It is fixed in 2.2.1.

Summary

The DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system.

Details

When a user authenticates via OpenID Connect, Vikunja extracts the picture claim from the ID token or UserInfo endpoint and passes it to syncUserAvatarFromOpenID, which calls utils.DownloadImage with the attacker-controlled URL:

Claim extraction (pkg/modules/auth/openid/openid.go:70-78):

type claims struct {
	Email              string                   `json:"email"`
	Name               string                   `json:"name"`
	PreferredUsername   string                   `json:"preferred_username"`
	Nickname           string                   `json:"nickname"`
	VikunjaGroups      []map[string]interface{} `json:"vikunja_groups"`
	Picture            string                   `json:"picture"`
	// ...
}

Avatar sync trigger (pkg/modules/auth/openid/openid.go:348-352):

// Try sync avatar if available
err = syncUserAvatarFromOpenID(s, u, cl.Picture)
if err != nil {
	log.Errorf("Error syncing avatar for user %s: %v", u.Username, err)
}

Vulnerable download (pkg/utils/avatar.go:94-115):

func DownloadImage(url string) ([]byte, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
	defer cancel()

	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
	if err != nil {
		return nil, fmt.Errorf("failed to create HTTP request: %w", err)
	}

	resp, err := (&http.Client{}).Do(req)  // No SSRF protection
	// ...
	return io.ReadAll(resp.Body)  // No size limit
}

In contrast, the webhook system correctly applies SSRF protection (pkg/models/webhooks.go:306-310):

if !config.WebhooksAllowNonRoutableIPs.GetBool() {
	guardian := ssrf.New(ssrf.WithAnyPort())
	transport.DialContext = (&net.Dialer{
		Control: guardian.Safe,
	}).DialContext
}

The avatar download path has none of this protection. There is no URL scheme validation, no IP address filtering, and no response body size limit.

PoC

Prerequisites: A Vikunja instance with OpenID Connect configured (e.g., Keycloak, Authentik). Attacker has an account on the OIDC provider.

Step 1: Set up a listener to observe incoming requests:

# On attacker-controlled server or internal service
nc -lvp 8888

Step 2: In the OIDC provider (e.g., Keycloak admin), update the attacker's user profile picture URL to an internal address:

http://169.254.169.254/latest/meta-data/iam/security-credentials/

Or to probe internal services:

http://internal-service:8888/admin

Step 3: Log in to Vikunja via the OIDC provider. After the callback completes, the Vikunja server will make a GET request from its own network context to the URL set in the picture claim.

Step 4: Observe the request arriving at the internal endpoint or listener. The request originates from the Vikunja server's IP, bypassing any network-level access controls that allow Vikunja server traffic.

Cloud metadata example (AWS):

# Set picture URL to:
http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Vikunja server makes GET to this URL from its own network context
# The response is read into memory (io.ReadAll) before image.Decode fails
# The HTTP request itself reaches the metadata service

Impact

  • Cloud metadata access: Attacker can reach cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents) from the Vikunja server's network position, potentially leaking IAM credentials, instance identity tokens, and configuration data.
  • Internal network reconnaissance: Port scanning and service discovery of internal hosts reachable from the Vikunja server by observing response timing and error messages.
  • Internal service interaction: Any internal service that acts on GET requests (cache purges, status endpoints, admin panels) can be triggered.
  • Memory pressure: The io.ReadAll call with no size limit means pointing the URL at a large resource could cause memory exhaustion on the Vikunja server, though the 3-second timeout partially mitigates this.
  • Repeated exploitation: The SSRF triggers on every OIDC login, allowing the attacker to iterate through different internal URLs by updating their OIDC profile between logins.

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-33679 has a CVSS score of 6.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.2.1); upgrading removes the vulnerable code path.

Affected versions

code.vikunja.io/api (<= 2.2.0)

Security releases

code.vikunja.io/api → 2.2.1 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Apply the same SSRF protection used in webhooks to DownloadImage, and add a response body size limit:

// pkg/utils/avatar.go
import (
	"net"
	"code.dny.dev/ssrf"
)

func DownloadImage(url string) ([]byte, error) {
	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
	defer cancel()

	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
	if err != nil {
		return nil, fmt.Errorf("failed to create HTTP request: %w", err)
	}

	// SSRF protection: block requests to non-globally-routable IPs
	guardian := ssrf.New(ssrf.WithAnyPort())
	client := &http.Client{
		Transport: &http.Transport{
			DialContext: (&net.Dialer{
				Control: guardian.Safe,
			}).DialContext,
		},
	}

	resp, err := client.Do(req)
	if err != nil {
		return nil, fmt.Errorf("failed to download image: %w", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("failed to download image, status code: %d", resp.StatusCode)
	}

	// Limit response body to 10MB to prevent memory exhaustion
	const maxAvatarSize = 10 * 1024 * 1024
	return io.ReadAll(io.LimitReader(resp.Body, maxAvatarSize))
}

Frequently Asked Questions

  1. What is CVE-2026-33679? CVE-2026-33679 is a medium-severity server-side request forgery (SSRF) vulnerability in code.vikunja.io/api (go), affecting versions <= 2.2.0. It is fixed in 2.2.1. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-33679? CVE-2026-33679 has a CVSS score of 6.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of code.vikunja.io/api are affected by CVE-2026-33679? code.vikunja.io/api (go) versions <= 2.2.0 is affected.
  4. Is there a fix for CVE-2026-33679? Yes. CVE-2026-33679 is fixed in 2.2.1. Upgrade to this version or later.
  5. Is CVE-2026-33679 exploitable, and should I be worried? Whether CVE-2026-33679 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33679 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33679? Upgrade code.vikunja.io/api to 2.2.1 or later.

Other vulnerabilities in code.vikunja.io/api

CVE-2026-40103CVE-2026-35602CVE-2026-35601CVE-2026-35600CVE-2026-35599

Stop the waste.
Protect your environment with Kodem.