CVE-2026-33316
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass in Vikunja Password Reset Allows Account Reactivation

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33316
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Vikunja, an open-source self-hosted task management platform, in versions prior to 2.2.0. The flaw is in the password reset logic where the ResetPassword() function sets a user's status to active after a successful password reset without checking if the account was previously disabled.

As a result, a disabled user can request a password reset token and complete the reset process to reactivate their account, effectively bypassing administrator-imposed account disablement.

This issue was fixed in version 2.2.0.

Impact Analysis

This vulnerability allows disabled users to regain access to their accounts despite administrative actions to disable them.

This can lead to unauthorized access, potentially compromising sensitive information or disrupting the management of tasks within the Vikunja platform.

Given the CVSS score of 8.1 with high confidentiality and integrity impact, the vulnerability poses a significant security risk.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Vikunja to version 2.2.0 or later, where the issue has been patched.

Until the upgrade is applied, be aware that disabled users can regain access by resetting their password, so consider additional monitoring or restricting access to the password reset endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart