CVE-2026-28268

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0

Description Vikunja, an open-source self-hosted task management platform, has a business logic flaw in its password reset mechanism within the vikunja/api. This allows password reset tokens to be reused indefinitely. The issue arises from a failure to invalidate tokens after use and a logic error in the token cleanup cron job, which prevents the removal of expired tokens. An attacker intercepting a single reset token can perform a persistent account takeover, bypassing standard authentication. The vulnerability stems from two distinct logic errors: the ResetPassword function incorrectly deletes TokenEmailConfirm tokens instead of TokenPasswordReset tokens, and the token cleanup cron job deletes new tokens instead of old ones. This results in an infinite attack window, allowing exploitation long after the token was initially issued.

Recommendations Update to version 2.1.0.