CVE-2026-33473

Name of the Vulnerable Software and Affected Versions Vikunja (affected versions not specified)

Description A flaw exists where a Time-based One-Time Password (TOTP) used for successful 2FA authentication can be reused within its 30-second validity window, allowing subsequent authentication attempts with the same code to succeed. This bypasses a security measure intended to ensure each TOTP is used only once. The issue resides in the ValidateTOTPPasscode function within pkg/user/totp.go:128. The function does not prevent the reuse of valid TOTP codes within the validity window. This disrupts the defense-in-depth model surrounding 2FA, potentially impacting any user employing 2FA. The affected code is located in the code.vikunja.io/api module.

Recommendations Implement a deny-list to store used TOTP codes for their validity windows and check submitted codes against this list to prevent reuse. After the validity window expires, remove the TOTP code from the deny-list.