CVE-2026-33668 — Improper Authorization in API

CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization5 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 58.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Code.vikunja.io API Vikunja Go-vikunja Vikunja

Timeline

PublishedMar 24

Latest updateMar 26

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDvikunja/vikunja0.18.0 — 2.2.1

▶Gocode.vikunja.io/api0.18.0 — 2.2.1+1

▶CVEListV5go-vikunja/vikunja>= 0.18.0, < 2.2.1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api↗2026-03-26

▶

GHSA

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect↗2026-03-25

▶

OSV

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect↗2026-03-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33668 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶