Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28268 is a critical business logic vulnerability in the password reset mechanism of Vikunja, an open-source self-hosted task management platform. In versions prior to 2.1.0, password reset tokens are not invalidated after use due to a coding error where the wrong token type is deleted after a password reset. Additionally, a background cleanup job meant to expire old tokens is faulty and deletes only recently created tokens instead of old ones, leaving reset tokens valid indefinitely.'}, {'type': 'paragraph', 'content': "This means that if an attacker obtains a single valid password reset token (for example, through logs, browser history, or phishing), they can reuse that token repeatedly to take over the victim's account at any time in the future, bypassing normal authentication controls."}] [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker who has intercepted a single password reset token to perform a persistent and complete account takeover without needing any additional credentials or user interaction.

• Persistent account takeover: The attacker can reuse the same reset token indefinitely.
• Bypasses authentication controls: The attacker does not need to know the original password or perform normal login.
• High impact on confidentiality, integrity, and availability of user accounts.

This can lead to unauthorized access to sensitive data, manipulation or deletion of tasks, and disruption of services managed through Vikunja.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability involves password reset tokens that remain valid indefinitely due to failure to invalidate tokens upon use and faulty token cleanup. Detection would involve checking for the presence of valid password reset tokens that should have been invalidated or expired.'}, {'type': 'paragraph', 'content': 'One approach is to inspect the database table that stores user tokens (likely named `user_tokens`) for tokens of type `TokenPasswordReset` that are older than the expected expiration time or have been used previously but still exist.'}, {'type': 'paragraph', 'content': 'Suggested commands (assuming access to the Vikunja database):'}, {'type': 'list_item', 'content': 'Run a SQL query to find all password reset tokens that are older than 24 hours (or the expected expiration period):'}, {'type': 'list_item', 'content': "SELECT * FROM user_tokens WHERE kind = 'TokenPasswordReset' AND created < datetime('now', '-1 day');"}, {'type': 'list_item', 'content': 'Check if tokens that should have been deleted after use still exist by correlating token usage logs or password reset events with tokens still present.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring logs or browser histories for password reset tokens being reused multiple times could indicate exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Vikunja to version 2.1.0 or later, which contains the patch that fixes the vulnerability.

This update ensures that password reset tokens are invalidated immediately after use and that the token cleanup cron job correctly deletes expired tokens.

• Upgrade Vikunja by replacing the binary with version 2.1.0 or pulling the latest Docker image.
• If immediate upgrade is not possible, consider manually invalidating all existing password reset tokens in the database to prevent reuse.
• Review and monitor password reset token usage and logs for suspicious activity.

Useful 0 Not Useful 0