CVE-2026-33316 - Vulnerability Analysis

Overview

Vikunja < 2.2.0 contains an authentication bypass caused by improper status verification in ResetPassword() function, letting disabled users reactivate accounts and bypass admin disablement, exploit requires disabled user account.

Severity & Score

Impact

Disabled users can regain access by resetting passwords, bypassing administrator account disablement controls.

Mitigation

Upgrade to version 2.2.0 or later.

References

• https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d
• https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb
• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767
• https://vikunja.io/changelog/vikunja-v2.2.0-was-released

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner