CVE-2026-33315

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0

Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as project names and descriptions. The issue occurs because the authentication process for Caldav via Basic Authentication skips the 2FA checks. Specifically, the code retrieves basic credentials, verifies the username and password, and then grants access without requiring TOTP verification. An attacker can craft HTTP requests to the Caldav endpoint with Base64-encoded usernames and passwords to bypass 2FA and access authenticated user information.

Recommendations Versions prior to 2.1.0: Disable Basic Authentication for Caldav by default, but keep token access enabled. Alternatively, implement Basic Auth for Caldav as a feature flag, notifying users in documentation that it is a less secure pattern if 2FA is enabled.