Skip to main content

Vikunja CVE-2026-28268

CRITICAL
Incomplete Cleanup (CWE-459)
2026-02-27 security-advisories@github.com GHSA-rfjg-6m84-crj2
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 06, 2026 - 21:03 nvd
Patch available
CVE Published
Feb 27, 2026 - 21:16 nvd
CRITICAL 9.8

DescriptionGitHub Advisory

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

AnalysisAI

Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.

Technical ContextAI

CWE-459 incomplete cleanup. When users are removed from shared resources, associated state is not fully purged, potentially leaving residual access.

RemediationAI

Update to Vikunja 2.1.0. Audit shared resource memberships.

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-28268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy