CVE-2026-33668

EUVD-2026-14913

24.03.2026, 16:16

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
vikunja	vikunja	0.18.0 ≤ 𝑥 < 2.2.1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35

https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b

https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e

https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4

https://vikunja.io/changelog/vikunja-v2.2.2-was-released