CVE-2026-33668

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Vikunja versions 0.18.0 through 2.2.0

Description Vikunja is a self-hosted task management platform. When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. The API tokens, CalDAV basic authentication, and OpenID Connect authentication paths do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. The vulnerable authentication paths include the use of API tokens via the /api/v1/lists endpoint, CalDAV basic authentication, and OpenID Connect. The user status is not verified during authentication via these methods.

Recommendations Update to version 2.2.1 or later.

Exploit

Fix

Improper Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-863

Related Identifiers

CVE-2026-33668

GHSA-94XM-JJ8X-3CR4

GO-2026-4849

SUSE-SU-2026:1135-1

Affected Products

Vikunja

CVE-2026-33668

Weakness Enumeration

Related Identifiers

Affected Products

References · 153