6 matches found
CVE-2026-35597
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then...
CVE-2026-35597
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then...
CVE-2026-35597
Vikunja prior to 2.3.0 is vulnerable to TOTP brute-forcing because the login failure path writes the account lock status (StatusAccountLocked) on the same DB session that is rolled back after a failed TOTP check. The in-memory counter in HandleFailedTOTPAuth tracks failures, and once it reaches 1...
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited...
GHSA-FGFV-PV97-6CMJ Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited...
PT-2026-31948
Summary The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited...