Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Published: 2026-03-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Administrator Bypass
Action: Immediate Patch
AI Analysis

Impact

Vikunja’s password reset logic incorrectly clears the disabled flag when a reset is performed, allowing any user who can request a reset token to reactivate an account that an administrator had disabled. This flaw permits previously disabled, potentially privileged users to regain access, thereby compromising the integrity of account management and providing a vector for privilege escalation. The weakness falls under improper access control, as the system fails to enforce the user’s disabled state during reset operations.

Affected Systems

All versions of Vikunja released before 2.2.0 are vulnerable. The issue exists in the open‑source self‑hosted application provided by the vikunja vendor. Administrators who rely on account disabling for security should be aware that disabling is ineffective until environment is updated.

Risk and Exploitability

The vulnerability scores a CVSS of 8.1, indicating high severity. No EPSS data is available, and it is not listed in the CISA KEV catalog, but the flaw is publicly known and easily exploitable via the publicly documented /api/v1/user/password/token and /api/v1/user/password/reset endpoints. An attacker only needs the ability to obtain or guess an email address associated with the account to trigger a reset, making the attack vector likely remote and low in preparation effort.

Generated by OpenCVE AI on March 24, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Vikunja to version 2.2.0 or later, which corrects the reset logic and prevents reactivation of disabled accounts.
  • Apply any vendor‑issued patches as promptly as possible to eliminate the exploit.
  • Regularly audit password‑reset usage to detect any unauthorized reactivation attempts.

Generated by OpenCVE AI on March 24, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vq4q-79hh-q767 Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
History

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Title Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
Weaknesses CWE-284
CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T13:08:08.138Z

Reserved: 2026-03-18T21:23:36.676Z

Link: CVE-2026-33316

cve-icon Vulnrichment

Updated: 2026-03-26T13:08:04.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T15:16:35.370

Modified: 2026-03-24T19:22:10.730

Link: CVE-2026-33316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:50:03Z

Weaknesses