Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
Published: 2026-02-25
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Persistent unauthorized access after password reset
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a weak password policy that allows easily guessable passwords such as 1234 or password, coupled with persistent sessions that remain logged in even after a user changes their password. An attacker who compromises an account through brute‑force or credential‑stuffing attacks can retain unauthorized access after the legitimate user resets their password, effectively bypassing the intended security boundary. Because the system does not enforce a minimum password strength, any user can fall into this scenario, making the impact a persistent unauthenticated or unauthorized session.

Affected Systems

This issue affects the open‑source self‑hosted task management platform Vikunja from the vendor go‑vikunja:vikunja, namely all releases older than version 2.0.0. Version 2.0.0 and later incorporate the fix that enforces stronger password requirements and invalidates sessions when the password is updated.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating a high‑severity risk. The EPSS score is less than 1% at the time of analysis, implying a low but non‑zero probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring access to the web application’s authentication endpoint; once a valid account is compromised, the attacker benefits from persistent sessions that survive password changes. Because the attacker’s session does not expire, the vulnerability can be abused to maintain covert malicious presence, making it difficult to detect or mitigate without intervention.

Generated by OpenCVE AI on April 17, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.0.0 or later, where the password strength enforcement and session invalidation are implemented.
  • If an upgrade is temporarily unfeasible, enforce a stricter password policy manually by configuring the application (or an external authentication layer) to require a minimum length and character complexity.
  • Implement session invalidation on password change by disabling persistent session cookies or configuring the app to log users out immediately after a password change, so that an attacker’s existing session is terminated.

Generated by OpenCVE AI on April 17, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3ccg-x393-96v8 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
History

Thu, 05 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Wed, 25 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
Title Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Weaknesses CWE-521
CWE-613
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:39:18.888Z

Reserved: 2026-02-20T17:40:28.449Z

Link: CVE-2026-27575

cve-icon Vulnrichment

Updated: 2026-02-26T20:39:13.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:26.383

Modified: 2026-03-05T17:21:37.413

Link: CVE-2026-27575

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses