Vikunja
CVE-2026-28268
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
AnalysisAI
Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.
Technical ContextAI
CWE-459 incomplete cleanup. When users are removed from shared resources, associated state is not fully purged, potentially leaving residual access.
RemediationAI
Update to Vikunja 2.1.0. Audit shared resource memberships.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC avai
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authenticati
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to va
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
Instance-wide data breach in Vikunja before 2.2.1 lets remote attackers exfiltrate and destroy every file attachment acr
Authentication bypass in Vikunja task management platform allows unauthenticated attackers to circumvent two-factor auth
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication,
The Vikunja Desktop Electron application fails to validate or allowlist URI schemes before passing URLs from window.open
Cross-site scripting (XSS) in Vikunja prior to version 1.1.0 allows authenticated attackers to execute arbitrary JavaScr
Same weakness CWE-459 – Incomplete Cleanup
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rfjg-6m84-crj2