CVE-2026-33668

HIGH EPSS 36.1%
Published Mar 24, 20263mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 4.0
High
Find Similar
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

CVSS Details

Base Score
7.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
36.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-285
CWE-863 Incorrect Authorization Authorization

Affected Products 1

VendorProductVersionRange
vikunjavikunja*≥0.18.0  –  <2.2.1

References 6

  • github.com https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7
    Patch
  • github.com https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4
    ExploitVendor Advisory
  • vikunja.io https://vikunja.io/changelog/vikunja-v2.2.2-was-released
    Release Notes

Remediation

  • github.com https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e
    Patch
  • github.com https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7
    Patch