8 matches found
CVE-2026-34727
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback...
CVE-2026-34727
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback...
CVE-2026-34727 Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback...
GHSA-8JVC-MCX6-R4CG Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. Details The OIDC callback...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC login process when the EmailFallback mechanism is enabled. An attacker can gain unauthorized access to accounts protected by TOTP by authenticating to the OIDC provider with a matching email address,...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the OIDC login process when the EmailFallback mechanism is enabled. An attacker can gain unauthorized access to accounts protected by TOTP by authenticating to the OIDC provider with a matching email address,...
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. Details The OIDC callback...
PT-2026-31944
Summary The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. Details The OIDC callback...