Summary
The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target share ID.
Details
The permission check in canDoLinkShare (pkg/models/link_sharing_permissions.go:53-70) validates admin access on the project from the :project URL parameter. However, the Delete method at pkg/models/link_sharing.go:305 queries only WHERE id = ? using the share ID, without verifying it belongs to the URL-specified project:
func (share *LinkSharing) Delete(s *xorm.Session, _ web.Auth) (err error) {
_, err = s.Where("id = ?", share.ID).Delete(share)
return
}
This is the same vulnerability class as GHSA-jfmm-mjcp-8wq2 (task attachment IDOR) and the fixed GHSA-mr3j-p26x-72x4 (task comment IDOR).
Additionally, ReadOne at line 203 has the same pattern (WHERE id = ? only), though it is not currently exploitable because CanRead fails first due to an unrelated issue with the hash parameter binding.
Reproduction
- User A creates Project A and a link share on it (share ID = X)
- User B creates Project B (gaining admin access)
- User B calls
DELETE /api/v1/projects/{projectB_id}/shares/{X} - The permission check passes (User B is admin on Project B)
- The delete executes
WHERE id = X, deleting User A's link share
Impact
An authenticated user with admin access to any project can:
- Delete link shares belonging to any other project in the system
- Disrupt collaboration by removing shared access links
- Link share IDs are sequential integers, making enumeration trivial
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Change Delete at pkg/models/link_sharing.go:305 to:
_, err = s.Where("id = ? AND project_id = ?", share.ID, share.ProjectID).Delete(share)
Also fix ReadOne at line 203 as defense in depth.
Frequently Asked Questions
- What is CVE-2026-33700? CVE-2026-33700 is a medium-severity security vulnerability in code.vikunja.io/api (go), affecting versions < 2.2.1. It is fixed in 2.2.1.
- Which versions of code.vikunja.io/api are affected by CVE-2026-33700? code.vikunja.io/api (go) versions < 2.2.1 is affected.
- Is there a fix for CVE-2026-33700? Yes. CVE-2026-33700 is fixed in 2.2.1. Upgrade to this version or later.
- Is CVE-2026-33700 exploitable, and should I be worried? Whether CVE-2026-33700 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33700 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33700? Upgrade
code.vikunja.io/apito 2.2.1 or later.