CVE-2026-33316 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 24, 2026
Vikunja - Authentication Bypass
Overview
Vikunja < 2.2.0 contains an authentication bypass caused by improper status verification in ResetPassword() function, letting disabled users reactivate accounts and bypass admin disablement, exploit requires disabled user account.
Severity & Score
Impact
Disabled users can regain access by resetting passwords, bypassing administrator account disablement controls.
Mitigation
Upgrade to version 2.2.0 or later.
References
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767
- https://vikunja.io/changelog/vikunja-v2.2.0-was-released
- https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d
- https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb
Social Media Activity(1 post)
🟠 CVE-2026-33316 - High (8.1) Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33316/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33316
- Severity
- High
- CVSS Score
- 8.1
- Type
- broken_authentication
- Status
- confirmed
- EPSS
- 2.9%
- Social Posts
- 1
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N