CVE-2026-33473
published 2026-03-24CVE-2026-33473: Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have…
PriorityP431medium5.7CVSS 3.1
AVNACLPRLUIRSUCHINAN
EPSS
0.26%
17.0th percentile
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0.13 | — |
| go-vikunja | vikunja | — | — |
| vikunja | vikunja | >= 0.13 < 2.2.1 | 2.2.1 |
CVSS provenance
nvdv3.15.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
ghsa5.7MEDIUM
osv5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
osv·2026-03-23
CVE-2026-33473 Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api
Vikunja has TOTP Reuse During Validity Window in code.vikunja.io/api.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: .
GHSA
Vikunja has TOTP Reuse During Validity Window
ghsa·2026-03-20·CVSS 5.7
CVE-2026-33473 [MEDIUM] CWE-287 Vikunja has TOTP Reuse During Validity Window
Vikunja has TOTP Reuse During Validity Window
### Summary
Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window.
### Details
The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated. If that same TOTP is used for the same user's account again within the validity window, it will allow the other session to authenticate successfully.
**Source**: pkg/user/totp.go:128
```go
// ValidateTOTPPasscode validated totp codes of users.
func ValidateTOTPPasscode(s *xorm.Session, passcode *TOTPPasscode) (t *TOTP, err error) {
t, err = GetTOTPForUser(s, passcode.User)
if err != nil {
return
}
if !totp.Validate(passcode.Passcode, t.Secr
OSV
Vikunja has TOTP Reuse During Validity Window
osv·2026-03-20·CVSS 5.7
CVE-2026-33473 [MEDIUM] Vikunja has TOTP Reuse During Validity Window
Vikunja has TOTP Reuse During Validity Window
### Summary
Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window.
### Details
The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated. If that same TOTP is used for the same user's account again within the validity window, it will allow the other session to authenticate successfully.
**Source**: pkg/user/totp.go:128
```go
// ValidateTOTPPasscode validated totp codes of users.
func ValidateTOTPPasscode(s *xorm.Session, passcode *TOTPPasscode) (t *TOTP, err error) {
t, err = GetTOTPForUser(s, passcode.User)
if err != nil {
return
}
if !totp.Validate(passcode.Passcode, t.Secr
No detection rules found.
No public exploits indexed.
2026-03-24
Published