Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass enabling privileged data access
Action: Apply Patch
AI Analysis

Impact

Vikunja’s CalDAV endpoint incorrectly accepts Basic Authentication credentials before requiring the two‑factor authentication (TOTP) challenge, allowing an attacker who knows a user’s login name and password to retrieve any project data normally protected by 2FA. This vulnerability is a classic authentication bypass (CWE‑288) and can expose sensitive project names, descriptions and potentially other protected information. The CVSS base score of 6.9 indicates a moderate severity, suggesting that a successful exploitation can compromise confidentiality and integrity of data while requiring only network access.

Affected Systems

All installations of the go‑vikunja:vikunja product running a version earlier than 2.2.0 are affected. Version 2.2.0 and later contain a patch that disables Basic Authentication for the CalDAV endpoint when 2FA is enabled, thereby restoring proper security checks.

Risk and Exploitability

The risk is moderate, reflected by the CVSS score of 6.9, and the vulnerability can be exploited remotely over the network. Since EPSS data is not available, the probability of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalog. An attacker sends an unauthenticated Basic Auth request to the CalDAV URL, bypasses the TOTP verification, gains access to project resources, and can then read, modify or delete data as the authenticated user.

Generated by OpenCVE AI on March 24, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.0 or later to re‑enable 2FA enforcement on CalDAV endpoints.
  • If an upgrade cannot be performed immediately, restrict CalDAV access to a narrow set of trusted IP addresses or completely disable the CalDAV interface until the patch is applied.

Generated by OpenCVE AI on March 24, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-47cr-f226-r4pq Vikunja has a 2FA Bypass via Caldav Basic Auth
History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
Title Vikunja has a 2FA Bypass via Caldav Basic Auth
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:33:55.744Z

Reserved: 2026-03-18T21:23:36.676Z

Link: CVE-2026-33315

cve-icon Vulnrichment

Updated: 2026-03-24T15:33:45.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:35.227

Modified: 2026-03-24T19:21:46.057

Link: CVE-2026-33315

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:50:04Z

Weaknesses