CVE-2026-33316
Undergoing Analysis Undergoing Analysis - In Progress
Authorization Bypass in Vikunja Password Reset Allows Account Reactivation

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33316
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Vikunja, an open-source self-hosted task management platform, in versions prior to 2.2.0. The flaw is in the password reset logic where the ResetPassword() function sets a user's status to active after a successful password reset without checking if the account was previously disabled.

As a result, a disabled user can request a password reset token and complete the reset process to reactivate their account, effectively bypassing administrator-imposed account disablement.

This issue was fixed in version 2.2.0.


How can this vulnerability impact me? :

This vulnerability allows disabled users to regain access to their accounts despite administrative actions to disable them.

This can lead to unauthorized access, potentially compromising sensitive information or disrupting the management of tasks within the Vikunja platform.

Given the CVSS score of 8.1 with high confidentiality and integrity impact, the vulnerability poses a significant security risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Vikunja to version 2.2.0 or later, where the issue has been patched.

Until the upgrade is applied, be aware that disabled users can regain access by resetting their password, so consider additional monitoring or restricting access to the password reset endpoints.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart