CVE-2026-33316 (GCVE-0-2026-33316)
Vulnerability from cvelistv5 – Published: 2026-03-24 14:59 – Updated: 2026-03-26 13:08
VLAI
EPSS
VEX
Title
Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
Summary
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/go-vikunja/vikunja/security/ad… | x_refsource_CONFIRM |
| https://github.com/go-vikunja/vikunja/commit/049f… | x_refsource_MISC |
| https://github.com/go-vikunja/vikunja/commit/d857… | x_refsource_MISC |
| https://vikunja.io/changelog/vikunja-v2.2.0-was-r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| go-vikunja | vikunja |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33316",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:07:30.307577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T13:08:08.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vikunja",
"vendor": "go-vikunja",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:02:56.860Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767"
},
{
"name": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d"
},
{
"name": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb"
},
{
"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"source": {
"advisory": "GHSA-vq4q-79hh-q767",
"discovery": "UNKNOWN"
},
"title": "Vikunja\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33316",
"datePublished": "2026-03-24T14:59:17.242Z",
"dateReserved": "2026-03-18T21:23:36.676Z",
"dateUpdated": "2026-03-26T13:08:08.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33316",
"date": "2026-07-09",
"epss": "0.00363",
"percentile": "0.28412"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33316\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T15:16:35.370\",\"lastModified\":\"2026-06-17T10:37:18.680\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.\"},{\"lang\":\"es\",\"value\":\"Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.0, una falla en la l\u00f3gica de restablecimiento de contrase\u00f1a de Vikunja permite a los usuarios deshabilitados recuperar el acceso a sus cuentas. La funci\u00f3n \u0027ResetPassword()\u0027 establece el estado del usuario en \u0027StatusActive\u0027 despu\u00e9s de un restablecimiento de contrase\u00f1a exitoso sin verificar si la cuenta hab\u00eda sido deshabilitada previamente. Al solicitar un token de restablecimiento a trav\u00e9s de \u0027/api/v1/user/password/token\u0027 y completar el restablecimiento a trav\u00e9s de \u0027/api/v1/user/password/reset\u0027, un usuario deshabilitado puede reactivar su cuenta y eludir la deshabilitaci\u00f3n de cuenta impuesta por el administrador. La versi\u00f3n 2.2.0 corrige el problema.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"go-vikunja\",\"product\":\"vikunja\",\"versions\":[{\"version\":\"\u003c 2.2.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-26T13:07:30.307577Z\",\"id\":\"CVE-2026-33316\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-862\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"F28D4CDA-D35C-4636-AABA-A22EBE6F64D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
"redhat_vex": {
"current_release_date": "2026-03-27T07:38:27+00:00",
"cve": "CVE-2026-33316",
"id": "CVE-2026-33316",
"initial_release_date": "2026-01-01T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "Vikunja\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33316.json",
"version": "3"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33316\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T13:07:30.307577Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T13:08:04.255Z\"}}], \"cna\": {\"title\": \"Vikunja\\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement\", \"source\": {\"advisory\": \"GHSA-vq4q-79hh-q767\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"name\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T15:02:56.860Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33316\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T13:08:08.138Z\", \"dateReserved\": \"2026-03-18T21:23:36.676Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T14:59:17.242Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…