CVE-2026-29794Reliance on Untrusted Inputs in a Security Decision in API

CWE-807Reliance on Untrusted Inputs in a Security Decision5 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 76.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Code.vikunja.io APIVikunjaGo-vikunja Vikunja
Timeline
PublishedMar 20
Latest updateMar 23

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDvikunja/vikunja0.82.2.0
Gocode.vikunja.io/api0.82.2.0
CVEListV5go-vikunja/vikunja>= 0.8, < 2.2.0

🔴Vulnerability Details

3
OSV
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api2026-03-23
OSV
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers2026-03-20
GHSA
Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers2026-03-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-29794 Impact, Exploitability, and Mitigation Steps | Wiz