CVE-2026-27575

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.0.0

Description The application allows users to set weak passwords without enforcing minimum strength requirements. Active sessions remain valid after a user changes their password, potentially allowing an attacker who compromises an account to maintain persistent access even after the victim resets their password. The combination of weak password controls and improper session invalidation increases both exploitability and impact. An attacker could compromise an account via brute-force or credential stuffing. The application does not enforce minimum length or strength validation for passwords. No forced logout occurs across active sessions after a password change.

Recommendations Versions prior to 2.0.0 should be updated to version 2.0.0 or later. Enforce strong password policies, requiring passwords to be 8–16+ characters with a mix of uppercase, lowercase, numbers, and special characters. Block common passwords by using a blacklist of commonly used and breached passwords. Use secure hashing algorithms like bcrypt or Argon2 to store passwords. Enable account lockout to limit failed login attempts. Invalidate all active sessions upon password change. Revoke refresh tokens, if applicable. Implement token/session versioning. Regenerate session IDs after credential updates. Log and notify users of password change events.