Plateforme
go
Composant
code.vikunja.io/api
Corrigé dans
0.13.1
CVE-2026-33473 describes a vulnerability in the Vikunja API where users with Two-Factor Authentication (2FA) enabled can have their Time-based One-Time Password (TOTP) code reused. This allows an attacker to authenticate as the user within the standard 30-second validity window of the TOTP. The vulnerability affects versions of Vikunja API prior to 2.2.1 and has been resolved in that release.
The primary impact of CVE-2026-33473 is unauthorized access to user accounts. An attacker who obtains a valid TOTP code for a Vikunja user can replay that code to authenticate as that user, gaining access to their data and potentially performing actions on their behalf. This could include accessing sensitive information, modifying data, or even deleting accounts. The risk is amplified if the user has administrative privileges within the Vikunja instance, potentially leading to broader system compromise. While the 30-second window limits the immediate impact, it provides a short opportunity for malicious activity before the TOTP expires.
CVE-2026-33473 was publicly disclosed on 2026-03-20. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Users of Vikunja API who have enabled 2FA and are running versions prior to 2.2.1 are at risk. This includes individuals and organizations relying on Vikunja for task management and collaboration, particularly those with sensitive data stored within the system. Shared hosting environments running Vikunja are also at increased risk due to potential cross-tenant vulnerabilities.
• linux / server:
journalctl -u vikunja -g "totp validation"• generic web:
curl -s -o /dev/null -w '%{http_code}' <vikunja_url>/api/login | grep 200• database (redis):
INFO totp_validation_attemptsdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-33473 is to upgrade to Vikunja API version 2.2.1 or later, which includes a fix for the TOTP replay vulnerability. If an immediate upgrade is not possible, consider implementing temporary workarounds such as shortening the TOTP validity window (if Vikunja allows it) or increasing monitoring for suspicious login attempts. Review Vikunja's audit logs for any unusual authentication patterns. After upgrading, confirm the fix by attempting to reuse a previously valid TOTP code – it should be rejected.
Mettez à jour Vikunja à la version 2.2.1 ou supérieure. Cette version corrige la vulnérabilité de réutilisation de TOTP pendant la fenêtre de validité.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33473 is a medium severity vulnerability in Vikunja API versions before 2.2.1 that allows attackers to replay TOTP codes for unauthorized authentication.
You are affected if you are using Vikunja API and have 2FA enabled, and are running a version prior to 2.2.1.
Upgrade to Vikunja API version 2.2.1 or later to resolve the TOTP replay vulnerability. Consider temporary workarounds if an immediate upgrade is not possible.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a PoC is released.
Refer to the official Vikunja security advisories on their website or GitHub repository for the latest information and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.