Cyber Posture

CVE-2026-33668

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 46.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths.…

more

Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Requires the system to enforce approved authorizations, including user account status checks, across all authentication paths like API tokens, CalDAV, and OpenID Connect to prevent unauthorized access by disabled accounts.

AC-2 Account Management good match
prevent

Mandates identification, management, and disabling of accounts to ensure revocation of access upon account lockout or disablement in self-hosted task management platforms.

IA-5 Authenticator Management good match
prevent

Requires management and disabling of authenticators such as API tokens and basic auth credentials when associated user accounts are disabled or locked.

Security SummaryAI

CVE-2026-33668 is a high-severity vulnerability (CVSS 8.1, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) affecting Vikunja, an open-source self-hosted task management platform, in versions starting from 0.18.0 and prior to 2.2.1. It involves improper authorization (CWE-285, CWE-863) where user account status checks for disabled or locked accounts are only enforced on local login and JWT token refresh paths. The API tokens, CalDAV basic auth, and OpenID Connect authentication paths fail to verify user status, enabling continued access to the API and data syncing despite account disablement.

Exploitation requires low privileges (PR:L), specifically an authenticated user whose account has been disabled or locked. Attackers can leverage this remotely over the network with low complexity and no user interaction, achieving high confidentiality and integrity impacts by maintaining unauthorized API access and data synchronization capabilities.

Vikunja version 2.2.1 addresses the issue with fixes detailed in multiple GitHub commits, including 033922309f492996c928122fb49b691339199c35, 04704e0fde4b027039cf583110cee7afe136fc1b, 0b04768d830c80e9fde1b0962db1499cc652da0e, and fd452b9cb6457fd4f9936527a14c359818f1cca7. Additional mitigation guidance is available in the GitHub security advisory GHSA-94xm-jj8x-3cr4.

Details

CWE(s)
CWE-285CWE-863

Affected Products

vikunja
vikunja
0.18.0 — 2.2.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing Vikunja web application enables exploitation of improper authorization (T1190), allowing continued unauthorized API access and data sync with valid but disabled accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References