Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration we...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CVE-2026-33677

Vikunja (self-hosted task management) prior to version 2.2.1 exposes webhook BasicAuth credentials (basic_auth_user, basic_auth_password) via GET /api/v1/projects/:project/webhooks to any user with read access. The code already masks the HMAC secret, but the BasicAuth fields were not masked after...