PT-2026-27445 · Vikunja · Vikunja

Highkolaente

Publicado

2026-03-24

Atualizado

2026-03-27

CVE-2026-33668

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.18.0 through 2.2.0

Description Vikunja is a self-hosted task management platform. When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. The API tokens, CalDAV basic authentication, and OpenID Connect authentication paths do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. The vulnerable authentication paths include the use of API tokens via the /api/v1/lists endpoint, CalDAV basic authentication, and OpenID Connect. The user status is not verified during authentication via these methods.

Recommendations Update to version 2.2.1 or later.

Exploit

Correção

Improper Authorization

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-285CWE-863

Identificadores relacionados

CVE-2026-33668

GHSA-94XM-JJ8X-3CR4

GO-2026-4849

SUSE-SU-2026:1135-1

Produtos afetados

Vikunja

PT-2026-27445 · Vikunja · Vikunja

CVE-2026-33668

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 153