cbcvebase.
CVE-2026-28268
published 2026-02-27

CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.67%
47.5th percentile
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
code.vikunja.ioapi0 – 0.24.6
go-vikunjavikunja< 2.1.02.1.0
vikunjavikunja< 2.1.02.1.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for repeated use of the same password reset token across multiple requests — tokens should be invalidated after first use but are not in versions prior to 2.1.0
  • Audit password reset flows in Vikunja API (code.vikunja.io/api) for token invalidation failures; a token that persists after use indicates a vulnerable instance
  • Look for account takeover patterns where authentication is bypassed via a reused password reset token, particularly on self-hosted Vikunja instances running versions prior to 2.1.0
  • ·The vulnerability is specific to the Vikunja API package; only self-hosted instances running versions prior to 2.1.0 are affected
  • ·The token cleanup cron job contains a logic bug that prevents expired/used tokens from being purged, meaning patching to 2.1.0 is required to remediate — cron job configuration alone is insufficient on vulnerable versions
  • ·No public exploit is currently available, but the EPSS exploitation probability percentile is 11.8, indicating non-trivial exploitation likelihood
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.