CVE-2026-33316

Summary

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.

Affected Software

VendorProductVersion RangeStatus
go-vikunjavikunja< 2.2.0affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control
  • CWE-862: CWE-862: Missing Authorization
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References