CVE-2026-28268
published 2026-02-27CVE-2026-28268: Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.67%
47.5th percentile
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | 0 – 0.24.6 | — |
| go-vikunja | vikunja | < 2.1.0 | 2.1.0 |
| vikunja | vikunja | < 2.1.0 | 2.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for repeated use of the same password reset token across multiple requests — tokens should be invalidated after first use but are not in versions prior to 2.1.0 ↗
- →Audit password reset flows in Vikunja API (code.vikunja.io/api) for token invalidation failures; a token that persists after use indicates a vulnerable instance ↗
- →Look for account takeover patterns where authentication is bypassed via a reused password reset token, particularly on self-hosted Vikunja instances running versions prior to 2.1.0 ↗
- ·The vulnerability is specific to the Vikunja API package; only self-hosted instances running versions prior to 2.1.0 are affected ↗
- ·The token cleanup cron job contains a logic bug that prevents expired/used tokens from being purged, meaning patching to 2.1.0 is required to remediate — cron job configuration alone is insufficient on vulnerable versions ↗
- ·No public exploit is currently available, but the EPSS exploitation probability percentile is 11.8, indicating non-trivial exploitation likelihood ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
osv·2026-03-10
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api
GHSA
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
ghsa·2026-02-28
CVE-2026-28268 [CRITICAL] CWE-459 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
**Summary**
A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.
This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.
**Technical Analysis**
The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.
1. Logic Error in Password Reset (No Invalidation)
OSV
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
osv·2026-02-28
CVE-2026-28268 [CRITICAL] Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
**Summary**
A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.
This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.
**Technical Analysis**
The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.
1. Logic Error in Password Reset (No Invalidation)
No detection rules found.
No public exploits indexed.
2026-02-27
Published