158 matches found
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing th...
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...
CVE-2026-33668
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...
CVE-2026-33668
Vikunja vulnerability (CVE-2026-33668) affects versions prior to 2.2.1. When a user is disabled or locked, status checks are enforced only on local login and JWT refresh paths; API tokens, CalDAV basic auth, and OpenID Connect do not verify user status, allowing disabled/locked users to continue ...
CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315
CVE-2026-33315 (Vikunja) is a vulnerability in Vikunja prior to version 2.2.0 where the Caldav endpoint allows login using Basic Authentication. This enables bypass of TOTP on accounts with 2FA enabled, allowing access to protected project information such as name and description. The issue is fi...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
PT-2026-27445
Name of the Vulnerable Software and Affected Versions Vikunja versions 0.18.0 through 2.2.0 Description Vikunja is a self-hosted task management platform. When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. The API tokens,...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from Caldav endpoints allowing login using basic authentication, which could enable users to bypass TOTP accounts that...
GO-2026-4794 Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api
Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...
GHSA-47CR-F226-R4PQ Vikunja has a 2FA Bypass via Caldav Basic Auth
Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...
PT-2026-26752
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...
Vikunja has a 2FA Bypass via Caldav Basic Auth
The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...