Home / Vulnerability Intelligence / CVE-2026-33315

CVE-2026-33315 - Vulnerability Analysis

MediumCVSS: 4.3

Last Updated: March 24, 2026

Vikunja - Authentication Bypass

Published: March 24, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable

Overview

Vikunja < 2.2.0 contains a broken authentication vulnerability caused by Basic Authentication on Caldav endpoint, letting users bypass TOTP on 2FA-enabled accounts to access protected project information, exploit requires user login.

Severity & Score

Severity: Medium

CVSS Score: 4.3

Impact

Users can bypass 2FA and access protected project information, compromising account security and confidentiality.

Mitigation

Update to version 2.2.0 or later.

References

https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq
https://vikunja.io/changelog/vikunja-v2.2.0-was-released

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33315
Severity: Medium
CVSS Score: 4.3
Type: broken_authentication
Status: confirmed

CWE

CWE-288

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N