Platform
go
Component
code.vikunja.io/api
Fixed in
0.13.1
CVE-2026-33473 describes a vulnerability in the Vikunja API where users with Two-Factor Authentication (2FA) enabled can have their Time-based One-Time Password (TOTP) code reused. This allows an attacker to authenticate as the user within the standard 30-second validity window of the TOTP. The vulnerability affects versions of Vikunja API prior to 2.2.1 and has been resolved in that release.
The primary impact of CVE-2026-33473 is unauthorized access to user accounts. An attacker who obtains a valid TOTP code for a Vikunja user can replay that code to authenticate as that user, gaining access to their data and potentially performing actions on their behalf. This could include accessing sensitive information, modifying data, or even deleting accounts. The risk is amplified if the user has administrative privileges within the Vikunja instance, potentially leading to broader system compromise. While the 30-second window limits the immediate impact, it provides a short opportunity for malicious activity before the TOTP expires.
CVE-2026-33473 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33473 is to upgrade to Vikunja API version 2.2.1 or later, which includes a fix for the TOTP replay vulnerability. If an immediate upgrade is not possible, consider implementing temporary workarounds such as shortening the TOTP validity window (if Vikunja allows it) or increasing monitoring for suspicious login attempts. Review Vikunja's audit logs for any unusual authentication patterns. After upgrading, confirm the fix by attempting to reuse a previously valid TOTP code – it should be rejected.
Update Vikunja to version 2.2.1 or higher. This version fixes the TOTP reuse vulnerability during the validity window.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33473 is a medium severity vulnerability in Vikunja API versions before 2.2.1 that allows attackers to replay TOTP codes for unauthorized authentication.
You are affected if you are using Vikunja API and have 2FA enabled, and are running a version prior to 2.2.1.
Upgrade to Vikunja API version 2.2.1 or later to resolve the TOTP replay vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a PoC is released.
Refer to the official Vikunja security advisories on their website or GitHub repository for the latest information and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.