Plattform
go
Komponente
go-vikunja/vikunja
Behoben in
2.3.1
CVE-2026-34727 describes an authentication bypass vulnerability affecting Vikunja, an open-source self-hosted task management platform. This flaw allows attackers to bypass two-factor authentication (TOTP) under specific circumstances, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions 0.0.0 up to and including 2.2.9, and a fix is available in version 2.3.0.
An attacker exploiting CVE-2026-34727 can bypass Vikunja's two-factor authentication (TOTP) mechanism. This occurs when an attacker leverages the OpenID Connect (OIDC) email fallback feature. Specifically, if a local Vikunja user with TOTP enabled is matched during the OIDC authentication process, the second factor check is skipped entirely, granting the attacker access to the user's account and associated tasks. The potential impact includes unauthorized access to sensitive task data, modification of tasks, and potentially gaining control over the Vikunja instance itself, depending on user permissions. This bypass effectively negates a key security control designed to protect user accounts.
CVE-2026-34727 was publicly disclosed on 2026-04-10. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. The CVSS score of 7.4 (HIGH) reflects the potential impact of unauthorized access.
Organizations and individuals using Vikunja for task management, particularly those relying on OpenID Connect (OIDC) for authentication and enabling TOTP two-factor authentication, are at risk. Shared hosting environments where multiple Vikunja instances share the same server resources could also be affected if one instance is compromised.
• linux / server:
journalctl -u vikunja -g "oidc callback"• generic web:
curl -I https://your-vikunja-instance/oidc/callback | grep -i "WWW-Authenticate: Bearer"disclosure
Exploit-Status
EPSS
0.04% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34727 is to upgrade Vikunja to version 2.3.0 or later, which includes the fix for this authentication bypass. If upgrading immediately is not feasible, consider temporarily disabling the OIDC email fallback feature within Vikunja's configuration. While this reduces usability, it prevents the vulnerability from being exploited. Monitor Vikunja logs for any suspicious authentication attempts, particularly those involving OIDC. Implement stricter rate limiting on authentication endpoints to slow down potential brute-force attacks. After upgrading, confirm the fix by attempting an OIDC login with TOTP enabled and verifying that the second factor is properly enforced.
Aktualisieren Sie Vikunja auf Version 2.3.0 oder höher, um zu verhindern, dass die TOTP Zwei-Faktor-Authentifizierung beim Anmelden über OIDC übersprungen wird. Dieses Update behebt das Problem, indem überprüft wird, ob der Benutzer TOTP aktiviert hat, bevor ein JWT Token ausgestellt wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34727 is a vulnerability in Vikunja versions 0.0.0 through 2.2.9 that allows attackers to bypass two-factor authentication (TOTP) when using OpenID Connect (OIDC) with email fallback.
You are affected if you are using Vikunja versions 0.0.0 through 2.2.9 and have OIDC configured with email fallback and TOTP enabled.
Upgrade Vikunja to version 2.3.0 or later to resolve the vulnerability. As a temporary workaround, disable OIDC email fallback.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept exploits are available.
Refer to the official Vikunja security advisory on their website or GitHub repository for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.