CVE-2026-34727
published 2026-04-10CVE-2026-34727: Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the…
PriorityP355critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.28%
19.8th percentile
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| go-vikunja | vikunja | < 2.3.0 | 2.3.0 |
| vikunja | vikunja | < 2.3.0 | 2.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
go-vikunja up to 2.2.x OIDC Call improper authentication (GHSA-8jvc-mcx6-r4cg)
vuldb·2026-04-10·CVSS 7.4
CVE-2026-34727 [HIGH] go-vikunja up to 2.2.x OIDC Call improper authentication (GHSA-8jvc-mcx6-r4cg)
A vulnerability was found in go-vikunja vikunja up to 2.2.x and classified as critical. Affected by this vulnerability is an unknown functionality of the component OIDC Call Handler. Such manipulation leads to improper authentication.
This vulnerability is documented as CVE-2026-34727. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
ghsa·2026-04-10
CVE-2026-34727 [HIGH] CWE-287 Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
## Summary
The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped.
## Details
The OIDC callback at `pkg/modules/auth/openid/openid.go:185` issues a JWT directly after user lookup:
```go
return auth.NewUserAuthTokenResponse(u, c, false)
```
There are zero references to TOTP in the entire `pkg/modules/auth/openid/` directory. By contrast, the local login handler at `pkg/routes/api/v1/login.go:79-102` correctly implements TOTP verification:
```go
totpEnabled, err := user2.TOTPEnabledForUser(s, user)
if totpEnable
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published