Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Published: 2026-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass for disabled or locked accounts
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Vikunja task‑management platform allows users whose accounts are marked disabled or locked to authenticate through API tokens, CalDAV basic authentication, and OpenID Connect. Because the status check is only applied to local logins and JWT token refreshes, these alternate authentication paths do not enforce the disabled/locked flag, meaning that such accounts can still access data that should otherwise be inaccessible. This effectively elevates the attacker’s privileges to that of a legitimate authenticated user, posing risk to data confidentiality and integrity.

Affected Systems

The vulnerability affects the self‑hosted Vikunja platform from version 0.18.0 through 2.2.0 inclusive. All deployments of the package identified by the vendor go-vikunja up to and including the 2.2.0 release are susceptible until the application is updated to version 2.2.1 or later, which restores proper status checks for all authentication pathways.

Risk and Exploitability

With a CVSS score of 7.1 the issue is categorized as medium‑high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. However, based on the description, it is inferred that an attacker can remotely exploit the flaw by supplying a valid API token, CalDAV credentials, or OpenID Connect cookies, thereby bypassing the disabled/locked status and gaining unauthorized access to the system.

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.1 or later to enforce account status checks across all authentication methods.
  • If an upgrade cannot be performed immediately, revoke or delete all API tokens that belong to disabled or locked accounts.
  • Disable CalDAV access for disabled or locked users either through configuration or by removing their CalDAV credentials.
  • Limit or block OpenID Connect authentication for accounts marked as disabled or locked if the platform provides such configuration options.
  • After implementing the fixes, monitor application logs for any further unauthorized authentication attempts and conduct periodic reviews of token usage.

Generated by OpenCVE AI on March 27, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-94xm-jj8x-3cr4 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Title Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Weaknesses CWE-285
CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:13.977Z

Reserved: 2026-03-23T15:23:42.220Z

Link: CVE-2026-33668

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:38.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:34.623

Modified: 2026-03-27T16:44:58.507

Link: CVE-2026-33668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:41Z

Weaknesses