Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted request flooding for unauthenticated users
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Vikunja enables an unauthenticated attacker to bypass the application’s built‑in rate limit by sending spoofed X-Forwarded-For or X-Real-IP headers. The rate‑limiting logic mistakenly trusts these headers as the client IP, allowing the attacker to issue an unlimited number of requests. This flaw can be exploited to perform brute‑force scans of usernames or passwords, and to overload the server with excessive traffic. The weakness is a classic example of unvalidated user input that leads to uncontrolled request handling.

Affected Systems

All Vikunja installations from version 0.8 up through the patch release 2.1.x are affected. The vendor is Vikunja, an open‑source self‑hosted task management platform. The vulnerable component is the rate‑limit middleware that relies on the echo.Context RealIP field to enforce request quotas.

Risk and Exploitability

With a CVSS score of 5.3, the issue is classified as medium severity, and the EPSS score is below 1%, indicating a low likelihood of active exploitation. It is not included in the CISA KEV catalog. The attack vector is remote and requires no authentication; the attacker merely crafts HTTP requests with spoofed IP headers. If the application is exposed to the Internet, this can lead to denial‑of‑service or credential‑guessing attacks.

Generated by OpenCVE AI on March 24, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.0 or later to receive the vendor patch.
  • If an upgrade is not possible, configure your reverse proxy or load balancer to reject or sanitize X-Forwarded-For and X-Real-IP headers from untrusted sources.
  • Apply an additional layer of rate limiting on unauthenticated endpoints at the network or application level to cap request rates.

Generated by OpenCVE AI on March 24, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m547-hp4w-j6jx Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
History

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Fri, 20 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.
Title Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers
Weaknesses CWE-807
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T17:15:23.140Z

Reserved: 2026-03-04T16:26:02.900Z

Link: CVE-2026-29794

cve-icon Vulnrichment

Updated: 2026-03-20T17:15:18.020Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T15:16:16.393

Modified: 2026-03-24T21:18:04.037

Link: CVE-2026-29794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:22Z

Weaknesses