CVE-2026-34727

Name of the Vulnerable Software and Affected Versions: Vikunja versions prior to 2.3.0

Description: A flaw exists in the OIDC callback handler where a full JWT token is issued without verifying TOTP two-factor authentication status for the matched user. Specifically, when a local user with TOTP enabled is matched via the OIDC email fallback mechanism, the second factor is bypassed. This allows an attacker who can authenticate to the OIDC provider with a matching email address to gain full access without a second-factor challenge, undermining the security of TOTP enrollment. This issue is a prerequisite for an OIDC email fallback account takeover, potentially allowing bypass of both password and TOTP second factor authentication.

Recommendations: Update to version 2.3.0 or later. As a mitigation, add a TOTP check in the OIDC callback before issuing the JWT.