Lucene search
K

158 matches found

Github Security Blog
Github Security Blog
added 2026/03/25 9:10 p.m.5 views

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Summary When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue...

8.1CVSS5.9AI score0.00453EPSS
Exploits1References8Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/25 12:0 a.m.6 views

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing th...

8.1CVSS5.8AI score0.00453EPSS
Exploits1References9Affected Software1
Cvelist
Cvelist
added 2026/03/24 3:30 p.m.19 views

CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

7.1CVSS0.00453EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/03/24 3:30 p.m.1 views

CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

7.1CVSS5.9AI score0.00453EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/03/24 3:30 p.m.1 views

CVE-2026-33668

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

7.1CVSS5.8AI score0.00453EPSS
Exploits1References7Affected Software1
CVE
CVE
added 2026/03/24 3:30 p.m.15 views

CVE-2026-33668

Vikunja vulnerability (CVE-2026-33668) affects versions prior to 2.2.1. When a user is disabled or locked, status checks are enforced only on local login and JWT refresh paths; API tokens, CalDAV basic auth, and OpenID Connect do not verify user status, allowing disabled/locked users to continue ...

8.1CVSS5.8AI score0.00453EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/03/24 3:30 p.m.5 views

CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

7.1CVSS6.3AI score0.00453EPSS
Exploits1References8
NVD
NVD
added 2026/03/24 3:16 p.m.11 views

CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS0.00302EPSS
Exploits1References3
OSV
OSV
added 2026/03/24 2:53 p.m.5 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS6.3AI score0.00302EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/03/24 2:53 p.m.21 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS0.00302EPSS
Exploits1References3
CVE
CVE
added 2026/03/24 2:53 p.m.25 views

CVE-2026-33315

CVE-2026-33315 (Vikunja) is a vulnerability in Vikunja prior to version 2.2.0 where the Caldav endpoint allows login using Basic Authentication. This enables bypass of TOTP on accounts with 2FA enabled, allowing access to protected project information such as name and description. The issue is fi...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/24 2:53 p.m.3 views

CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.5 views

PT-2026-27445

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.18.0 through 2.2.0 Description Vikunja is a self-hosted task management platform. When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. The API tokens,...

8.1CVSS5.8AI score0.00453EPSS
Exploits1References11
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.10 views

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from Caldav endpoints allowing login using basic authentication, which could enable users to bypass TOTP accounts that...

6.9CVSS6.4AI score0.00302EPSS
Exploits1References3
OSV
OSV
added 2026/03/23 6:16 p.m.3 views

GO-2026-4794 Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/20 5:25 p.m.3 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

6.9CVSS5.9AI score0.00302EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/20 5:25 p.m.2 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...

6.9CVSS6.4AI score0.00302EPSS
Exploits1References2
OSV
OSV
added 2026/03/20 5:25 p.m.8 views

GHSA-47CR-F226-R4PQ Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.6 views

PT-2026-26752

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...

6.9CVSS5.9AI score0.00302EPSS
Exploits1References6
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/20 12:0 a.m.9 views

Vikunja has a 2FA Bypass via Caldav Basic Auth

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder