CVE-2026-33473
TOTP Reuse Vulnerability in Vikunja 2FA Enables Authentication Bypass
Publication date: 2026-03-24
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | From 0.13 (inc) to 2.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33473 is a vulnerability in the Vikunja task management platform affecting versions from 0.13 up to but not including 2.2.1. The issue involves the reuse of Time-based One-Time Passwords (TOTPs) used for two-factor authentication (2FA). Specifically, a valid TOTP code can be reused multiple times within its standard 30-second validity window because the system does not track whether a TOTP has already been used during that period.
This means that an attacker who obtains or phishes a valid TOTP can reuse it within the 30-second window to authenticate multiple sessions, bypassing the intended security of 2FA. The vulnerability arises because the validation function accepts the same TOTP multiple times without denying reuse, violating best practices that require TOTPs to be single-use to prevent replay attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability impact me? :
This vulnerability can undermine the security of your Vikunja account by allowing an attacker to reuse a valid TOTP multiple times within its 30-second validity window. If an attacker manages to capture or phish your TOTP code, they can bypass the two-factor authentication protection and gain unauthorized access to your account.
The impact is primarily on confidentiality, as unauthorized access could expose sensitive task management data. The vulnerability does not affect data integrity or availability but weakens the defense-in-depth security model by compromising the effectiveness of 2FA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the reuse of a valid Time-based One-Time Password (TOTP) within its 30-second validity window in Vikunja versions prior to 2.2.1. Detection involves monitoring authentication logs for multiple successful authentications using the same TOTP code within a short time frame.
You can detect potential exploitation by analyzing authentication logs for repeated use of identical TOTP codes within 30 seconds for the same user account.
Since the vulnerability is related to TOTP reuse, commands or scripts that parse Vikunja authentication logs to identify repeated TOTP values within the 30-second window could help detect it.
However, no specific commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Vikunja to version 2.2.1 or later, where the vulnerability has been patched.
The patch implements a deny-list or cache of used TOTP codes for their validity window, rejecting any repeated use of the same code within that period.
Users are strongly advised to replace the Vikunja binary or pull the latest Docker image to ensure the fix is applied.