CVE-2026-33473

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r	Exploit Vendor Advisory
https://vikunja.io/changelog/vikunja-v2.2.0-was-released	Release Notes
https://vikunja.io/changelog/vikunja-v2.2.2-was-released	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 16:16

Updated : 2026-03-27 16:53

NVD link : CVE-2026-33473

Mitre link : CVE-2026-33473

CVE.ORG link : CVE-2026-33473

JSON object : View

Products Affected

vikunja

vikunja

CWE

CWE-287

Improper Authentication

NVD-CWE-noinfo

{"id": "CVE-2026-33473", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2026-03-24T16:16:33.710", "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. A partir de la versi\u00f3n 0.13 y antes de la versi\u00f3n 2.2.1, cualquier usuario que haya habilitado 2FA puede ver su TOTP reutilizado durante la ventana de validez est\u00e1ndar de 30 segundos. La versi\u00f3n 2.2.1 corrige el problema."}], "lastModified": "2026-03-27T16:53:32.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9EDB458-A25F-4E79-A8D5-340826D95EB6", "versionEndExcluding": "2.2.1", "versionStartIncluding": "0.13"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}