Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass via repeated use of a one‑time password
Action: Apply patch
AI Analysis

Impact

Vikunja allows a two‑factor authentication code to be reused within the normal thirty‑second validity period. An attacker who obtains or predicts a valid TOTP can replay it until it expires, gaining access to the victim’s account without needing the previous code. This flaw is a Classic Authentication Bypass weakness (CWE‑287) and can expose all data protected by the user’s account.

Affected Systems

The vulnerability affects all hosted Vikunja installations running versions from 0.13 up to, but excluding, 2.2.1. That range includes the 2.2.0 release and earlier branches. Users who have enabled 2FA on these versions are exposed.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. The EPSS probability is below 1 %, and the flaw is not listed in CISA’s KEV catalog, suggesting limited widespread exploitation to date. The likely attack vector is remote, requiring an attacker to obtain a valid TOTP for a target account or to compromise an existing session. If achieved, the attacker can reuse the code until the next sixty‑second window ends, allowing continued access for several minutes.

Generated by OpenCVE AI on March 27, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.1 or later where the issue is patched

Generated by OpenCVE AI on March 27, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p747-qc5p-773r Vikunja has TOTP Reuse During Validity Window
History

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
Title Vikunja has TOTP Reuse During Validity Window
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:11:26.042Z

Reserved: 2026-03-20T16:16:48.969Z

Link: CVE-2026-33473

cve-icon Vulnrichment

Updated: 2026-03-24T17:11:21.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:33.710

Modified: 2026-03-27T16:53:32.720

Link: CVE-2026-33473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:43Z

Weaknesses