CVE-2026-35597 — Improper Restriction of Excessive Authentication Attempts in Vikunja

CWE-307 — Improper Restriction of Excessive Authentication Attempts2 documents2 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 88.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-vikunja Vikunja Code.vikunja.io API

Timeline

PublishedApr 10

Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in pkg/user/totp.go uses an in-memory counter (key-value store) to track failed attempts. When the counter reaches 10, it calls user.SetStatus(s, StatusA…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Gocode.vikunja.io/api< 2.3.0

▶CVEListV5go-vikunja/vikunja< 2.3.0

🔴Vulnerability Details

GHSA

Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout↗2026-04-10

▶