CVE-2026-34727 - Vulnerability Details

- Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.

Published: 2026-04-10

Score: 7.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vikunja, an open‑source task management platform, has a flaw in its OIDC callback handling where a full JWT token is issued without verifying that the user has TOTP two‑factor authentication enabled. Consequently, a local user who has enrolled TOTP can be matched through the OIDC email fallback and gain access without completing the second factor. This bypass effectively undermines the intended two‑factor protection and maps to CWE‑287, which deals with authentication bypass by credential manipulation.

Affected Systems

The vulnerability exists in Vikunja releases older than version 2.3.0. Users running these earlier releases are at risk; the issue is resolved in version 2.3.0 and later.

Risk and Exploitability

The CVSS score of 7.4 denotes a high severity, indicating that an attacker can fully compromise the authentication process. The vulnerability is exploitable remotely via the OIDC login path, without needing any additional privileges. Although EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, the ability to bypass two‑factor authentication presents a critical threat to identity integrity and confidentiality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

go-vikunja

vikunja

affected

Version	Status	Constraints
`< 2.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Go-vikunja

Vikunja

100%

Version	Status	Scheme	Platform
`[0,2.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Vikunja to version 2.3.0 or later, which includes the fix for the TOTP bypass.
Verify that two‑factor authentication is enforced for all users, especially those logging in through OIDC paths.
Monitor authentication logs for anomalous OIDC activity and consider disabling the email fallback configuration until you confirm the fix is fully effective.

Generated by OpenCVE AI on April 10, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-8jvc-mcx6-r4cg	Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00281.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg

History

Mon, 20 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vikunja Vikunja vikunja
CPEs		cpe:2.3:a:vikunja:vikunja::::::::
Vendors & Products		Vikunja Vikunja vikunja

Mon, 13 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Go-vikunja Go-vikunja vikunja
Vendors & Products		Go-vikunja Go-vikunja vikunja

Fri, 10 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.
Title		Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path
Weaknesses		CWE-287
References		https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Go-vikunja Vikunja

Vikunja Vikunja

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-10T15:45:30.662Z

Updated: 2026-04-13T15:37:32.071Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34727

Vulnrichment

Updated: 2026-04-13T15:26:37.332Z

NVD

Status : Analyzed

Published: 2026-04-10T16:16:31.853

Modified: 2026-06-17T10:39:31.167

Link: CVE-2026-34727

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:01:09Z

Weaknesses

CWE-287
Improper Authentication

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object