CRITICAL🇵🇱 Wersja polska

CVE-2026-28268

CVSS 9.8v3.1pub. 2026-02-27upd. 2026-03-06

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

🤖 AI Analysis
How it works

The vulnerability stems from a business logic error in the password reset mechanism of the vikunja/api module. After a token is used, it is not invalidated, and an additional critical error in the cron task responsible for cleaning up tokens causes them to never expire. An attacker who intercepts a token (e.g., from system logs, browser history, or via phishing) can reuse it multiple times to change the victim's password, completely bypassing standard authentication mechanisms.

Impact

Attacker gains full and persistent control over the user account to which the intercepted token is assigned, without needing to know the current password.

Mitigation & patch

Vikunja must be updated to version 2.1.0, which contains a patch eliminating the vulnerability. Patch available in GitHub repository (commit 5c2195f9fca9ad208477e865e6009c37889f87b2).

Who is affected

Vikunja (open-source self-hosted task management platform) — all versions before 2.1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Vikunja

    APP
    Vikunja
    < 2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-27575CRITICAL9.1PL ✓ten sam produkt

Vikunja: słabe hasła i brak unieważniania sesji po zmianie hasła

CVE-2026-35595HIGH8.3ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/mod...

CVE-2026-34727HIGH7.4ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issu...

CVE-2026-33668HIGH7.1ten sam produkt

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to versio...

CVE-2026-33316HIGH8.1ten sam produkt

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s pa...