Plattform
go
Komponente
code.vikunja.io/api
Behoben in
0.13.1
CVE-2026-33473 describes a vulnerability in the Vikunja API where users with Two-Factor Authentication (2FA) enabled can have their Time-based One-Time Password (TOTP) code reused. This allows an attacker to authenticate as the user within the standard 30-second validity window of the TOTP. The vulnerability affects versions of Vikunja API prior to 2.2.1 and has been resolved in that release.
The primary impact of CVE-2026-33473 is unauthorized access to user accounts. An attacker who obtains a valid TOTP code for a Vikunja user can replay that code to authenticate as that user, gaining access to their data and potentially performing actions on their behalf. This could include accessing sensitive information, modifying data, or even deleting accounts. The risk is amplified if the user has administrative privileges within the Vikunja instance, potentially leading to broader system compromise. While the 30-second window limits the immediate impact, it provides a short opportunity for malicious activity before the TOTP expires.
CVE-2026-33473 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Users of Vikunja API who have enabled 2FA and are running versions prior to 2.2.1 are at risk. This includes individuals and organizations relying on Vikunja for task management and collaboration, particularly those with sensitive data stored within the system. Shared hosting environments running Vikunja are also at increased risk due to potential cross-tenant vulnerabilities.
• linux / server:
journalctl -u vikunja -g "totp validation"• generic web:
curl -s -o /dev/null -w '%{http_code}' <vikunja_url>/api/login | grep 200• database (redis):
INFO totp_validation_attemptsdisclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33473 is to upgrade to Vikunja API version 2.2.1 or later, which includes a fix for the TOTP replay vulnerability. If an immediate upgrade is not possible, consider implementing temporary workarounds such as shortening the TOTP validity window (if Vikunja allows it) or increasing monitoring for suspicious login attempts. Review Vikunja's audit logs for any unusual authentication patterns. After upgrading, confirm the fix by attempting to reuse a previously valid TOTP code – it should be rejected.
Aktualisieren Sie Vikunja auf Version 2.2.1 oder höher. Diese Version behebt die Schwachstelle der TOTP-Wiederverwendung während des Gültigkeitszeitraums.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33473 is a medium severity vulnerability in Vikunja API versions before 2.2.1 that allows attackers to replay TOTP codes for unauthorized authentication.
You are affected if you are using Vikunja API and have 2FA enabled, and are running a version prior to 2.2.1.
Upgrade to Vikunja API version 2.2.1 or later to resolve the TOTP replay vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a PoC is released.
Refer to the official Vikunja security advisories on their website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.