CVE-2026-34727 — Improper Authentication in Vikunja

CWE-287 — Improper Authentication3 documents3 sources

Severity

7.4HIGHNVD

EPSS

0.0%

top 86.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5go-vikunja/vikunja< 2.3.0

▶Gocode.vikunja.io/api< 2.3.0

🔴Vulnerability Details

VulDB

go-vikunja up to 2.2.x OIDC Call improper authentication (GHSA-8jvc-mcx6-r4cg)↗2026-04-10

▶

GHSA

Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path↗2026-04-10

▶