CVE-2026-33316

Name of the Vulnerable Software and Affected Versions Vikunja (affected versions not specified)

Description A flaw in the password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. A disabled user can request a reset token via the /api/v1/user/password/token endpoint and complete the reset using the /api/v1/user/password/reset endpoint, reactivating their account and bypassing administrator-imposed account disablement. The RequestUserPasswordResetTokenByEmail function fetches the user via GetUserWithEmail(), which does not filter out disabled users, allowing them to request a token. The vulnerable code is located in pkg/user/user password reset.go, beginning at line 66, where the user.Status is unconditionally set to StatusActive.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.