Platform
go
Component
go-vikunja/vikunja
Fixed in
2.3.1
CVE-2026-34727 describes an authentication bypass vulnerability affecting Vikunja, an open-source self-hosted task management platform. This flaw allows attackers to bypass two-factor authentication (TOTP) under specific circumstances, potentially leading to unauthorized access and data compromise. The vulnerability impacts versions 0.0.0 up to and including 2.2.9, and a fix is available in version 2.3.0.
An attacker exploiting this vulnerability can bypass Vikunja's two-factor authentication mechanism. Specifically, when using OpenID Connect (OIDC) with email fallback and a local user with TOTP enabled, the authentication process fails to enforce the second factor. This allows an attacker to authenticate as that user without providing the TOTP code. The potential impact includes unauthorized access to task lists, notes, and other sensitive data managed within Vikunja. Successful exploitation could lead to data breaches, modification of tasks, and potentially even complete control over the Vikunja instance, depending on the user's permissions.
This vulnerability was publicly disclosed on 2026-04-10. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. Given the authentication bypass nature and the availability of a fix, the probability of exploitation is considered medium.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34727 is to upgrade Vikunja to version 2.3.0 or later, which includes the fix for this authentication bypass. If upgrading immediately is not feasible, consider temporarily disabling OIDC email fallback as a workaround. Monitor Vikunja logs for suspicious authentication attempts, particularly those involving OIDC. Implement stricter access controls and regularly review user permissions to limit the potential impact of a successful breach. After upgrading, confirm the fix by attempting an OIDC login with TOTP enabled and verifying that the second factor is properly enforced.
Update Vikunja to version 2.3.0 or later to prevent TOTP two-factor authentication from being skipped when logging in via OIDC. This update fixes the issue by verifying that the user has TOTP enabled before issuing a JWT token.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34727 is a vulnerability in Vikunja versions 0.0.0 through 2.2.9 that allows attackers to bypass two-factor authentication (TOTP) when using OpenID Connect (OIDC) with email fallback.
You are affected if you are using Vikunja versions 0.0.0 through 2.2.9 and have OIDC configured with email fallback and TOTP enabled.
Upgrade Vikunja to version 2.3.0 or later to resolve the vulnerability. As a temporary workaround, disable OIDC email fallback.
There is currently no evidence of active exploitation in the wild, and no public proof-of-concept exploits are available.
Refer to the official Vikunja security advisory on their website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.