CVE-2026-33668

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35	Patch
https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b	Patch
https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e	Patch
https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7	Patch
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4	Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.2-was-released	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

History

27 Mar 2026, 16:44

Type	Values Removed	Values Added
First Time		Vikunja Vikunja vikunja
CPE		cpe:2.3:a:vikunja:vikunja::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
References	~~() https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35 -~~	() https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35 - Patch
References	~~() https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b -~~	() https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b - Patch
References	~~() https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e -~~	() https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e - Patch
References	~~() https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7 -~~	() https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7 - Patch
References	~~() https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4 -~~	() https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4 - Exploit, Vendor Advisory
References	~~() https://vikunja.io/changelog/vikunja-v2.2.2-was-released -~~	() https://vikunja.io/changelog/vikunja-v2.2.2-was-released - Release Notes

25 Mar 2026, 15:41

Type	Values Removed	Values Added
Summary		(es) Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. A partir de la versión 0.18.0 y antes de la versión 2.2.1, cuando una cuenta de usuario está deshabilitada o bloqueada, la verificación de estado solo se aplica en el inicio de sesión local y en las rutas de actualización de tokens JWT. Otras tres rutas de autenticación — tokens de API, autenticación básica de CalDAV y OpenID Connect — no verifican el estado del usuario, permitiendo que los usuarios deshabilitados o bloqueados continúen accediendo a la API y sincronizando datos. La versión 2.2.1 corrige el problema.

24 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 16:16

Updated : 2026-03-27 16:44

NVD link : CVE-2026-33668

Mitre link : CVE-2026-33668

CVE.ORG link : CVE-2026-33668

JSON object : View

Products Affected

vikunja

vikunja

CWE

CWE-285

Improper Authorization

CWE-863

Incorrect Authorization

8.1 /10