CVE-2026-33473
Received Received - Intake
TOTP Reuse Vulnerability in Vikunja 2FA Enables Authentication Bypass

Publication date: 2026-03-24

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33473
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja From 0.13 (inc) to 2.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-33473 is a vulnerability in the Vikunja task management platform affecting versions from 0.13 up to but not including 2.2.1. The issue involves the reuse of Time-based One-Time Passwords (TOTPs) used for two-factor authentication (2FA). Specifically, a valid TOTP code can be reused multiple times within its standard 30-second validity window because the system does not track whether a TOTP has already been used during that period.

This means that an attacker who obtains or phishes a valid TOTP can reuse it within the 30-second window to authenticate multiple sessions, bypassing the intended security of 2FA. The vulnerability arises because the validation function accepts the same TOTP multiple times without denying reuse, violating best practices that require TOTPs to be single-use to prevent replay attacks.

Impact Analysis

This vulnerability can undermine the security of your Vikunja account by allowing an attacker to reuse a valid TOTP multiple times within its 30-second validity window. If an attacker manages to capture or phish your TOTP code, they can bypass the two-factor authentication protection and gain unauthorized access to your account.

The impact is primarily on confidentiality, as unauthorized access could expose sensitive task management data. The vulnerability does not affect data integrity or availability but weakens the defense-in-depth security model by compromising the effectiveness of 2FA.

Detection Guidance

This vulnerability involves the reuse of a valid Time-based One-Time Password (TOTP) within its 30-second validity window in Vikunja versions prior to 2.2.1. Detection involves monitoring authentication logs for multiple successful authentications using the same TOTP code within a short time frame.

You can detect potential exploitation by analyzing authentication logs for repeated use of identical TOTP codes within 30 seconds for the same user account.

Since the vulnerability is related to TOTP reuse, commands or scripts that parse Vikunja authentication logs to identify repeated TOTP values within the 30-second window could help detect it.

However, no specific commands or detection tools are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update Vikunja to version 2.2.1 or later, where the vulnerability has been patched.

The patch implements a deny-list or cache of used TOTP codes for their validity window, rejecting any repeated use of the same code within that period.

Users are strongly advised to replace the Vikunja binary or pull the latest Docker image to ensure the fix is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart