CVE-2026-33316Improper Access Control in Vikunja

CWE-284Improper Access ControlCWE-862Missing AuthorizationCWE-863Incorrect Authorization5 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 90.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Go-vikunja VikunjaVikunjaCode.vikunja.io API
Timeline
Latest updateMar 23
PublishedMar 24

Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user ca

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

NVDvikunja/vikunja< 2.2.0
CVEListV5go-vikunja/vikunja< 2.2.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api2026-03-23
OSV
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement2026-03-20
GHSA
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement2026-03-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-33316 Impact, Exploitability, and Mitigation Steps | Wiz