CVE-2026-34727

EUVD-2026-21414
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
Affected Products (NVD)
VendorProductVersion
vikunjavikunja
𝑥
< 2.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg