CVE-2026-29794

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.8 through 2.1.9

Description Vikunja, an open-source self-hosted task management platform, contains a flaw where unauthenticated users can circumvent the application's rate limits. This bypass is achieved by manipulating the X-Forwarded-For or X-Real-IP headers, as the rate-limiting mechanism relies on the value of (echo.Context).RealIP. This allows attackers to make an unlimited number of requests to unauthenticated endpoints. The immediate risk is the potential for brute-forcing usernames or passwords. The vulnerable code resides in the pkgroutesrate limit.go file, specifically within the RateLimit middleware function, where the c.RealIP() function is used to determine the rate-limit key. The /api/v1/login API endpoint is susceptible to this issue.

Recommendations Vikunja versions 0.8 through 2.1.9 are affected and should be upgraded to version 2.2.0 or later to resolve this issue.