CVE-2026-33315 — Authentication Bypass Using an Alternate Path or Channel in Vikunja

CWE-288 — Authentication Bypass Using an Alternate Path or Channel5 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 70.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Vikunja Code.vikunja.io API

Timeline

Latest updateMar 23

PublishedMar 24

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDvikunja/vikunja< 2.2.0

▶CVEListV5go-vikunja/vikunja< 2.2.0

▶Gocode.vikunja.io/api2.1.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api↗2026-03-23

▶

GHSA

Vikunja has a 2FA Bypass via Caldav Basic Auth↗2026-03-20

▶

OSV

Vikunja has a 2FA Bypass via Caldav Basic Auth↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33315 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶