CVE-2026-35597

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0

Description A flaw exists in Vikunja before version 2.3.0 related to the Time-based One-Time Password (TOTP) failed-attempt lockout mechanism. A database transaction handling bug prevents the account lockout from being correctly persisted. Specifically, when a TOTP validation fails, the login handler rolls back the database session unconditionally, undoing the attempt to lock the account. This allows an attacker to bypass the intended lockout mechanism and perform unlimited brute-force attempts against TOTP codes. The vulnerability resides in the interaction between the login handler in pkg/routes/api/v1/login.go and the HandleFailedTOTPAuth function in pkg/user/totp.go. The HandleFailedTOTPAuth function attempts to set the account status to locked, but this change is lost due to the rollback. The in-memory counter correctly increments, but the database is not updated.

Recommendations Update to version 2.3.0 or later to resolve this issue. As a temporary workaround, consider disabling TOTP until a patch is available.