CVE-2026-35597
Transaction Handling Bug in Vikunja TOTP Enables Unlimited Brute-Force
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vikunja | vikunja | to 2.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Vikunja's TOTP lockout mechanism allows unlimited brute-force attempts against two-factor authentication codes after a password compromise. This weakness can lead to unauthorized access to user accounts despite the presence of two-factor authentication, thereby increasing the risk of data breaches.
Such unauthorized access risks can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data, including strong authentication mechanisms and protection against unauthorized access.
Because the vulnerability allows bypassing of two-factor authentication lockout protections, it undermines the effectiveness of access controls and may lead to violations of confidentiality requirements mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-35597 is a moderate severity vulnerability in the Vikunja open-source task management platform affecting versions prior to 2.3.0. The issue lies in the Time-based One-Time Password (TOTP) authentication lockout mechanism, which is supposed to lock a user account after 10 failed TOTP attempts. However, due to a database transaction handling bug, the lockout status update is rolled back and never persisted in the database.
Specifically, when a TOTP validation fails, an in-memory counter increments failed attempts and attempts to set the user status to 'Account Locked' in the database. But the login handler always rolls back the database session after failure, undoing the lockout status update. This means the account never actually locks, allowing unlimited brute-force attempts against TOTP codes.
The vulnerability allows attackers who have obtained a user's password to bypass the two-factor authentication by brute-forcing the 6-digit TOTP codes without triggering account lockout. The flaw was fixed in version 2.3.0 by isolating the lockout update in its own committed database transaction.
How can this vulnerability impact me? :
This vulnerability can significantly impact the security of your Vikunja deployment by allowing attackers to bypass the intended TOTP two-factor authentication protection.
- An attacker who has obtained a user's password (through phishing, credential stuffing, or data breaches) can brute-force the 6-digit TOTP codes without triggering account lockout.
- Unlimited brute-force attempts are possible because the account lockout status is never persisted due to the rollback bug.
- Attackers can circumvent per-IP rate limiting by using multiple IP addresses to parallelize brute-force attempts.
- This can lead to unauthorized access to user accounts despite two-factor authentication being enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unlimited failed TOTP authentication attempts without triggering account lockout, which indicates the lockout mechanism is not functioning correctly.
A practical approach to detection is to simulate multiple failed login attempts with invalid TOTP codes and observe whether the user account status changes to locked in the database after exceeding 10 failed attempts.
For example, you can perform repeated POST requests to the login endpoint with valid username and password but invalid TOTP codes, then query the database to check if the account status is updated to 'Account Locked'.
- Send multiple failed login attempts (e.g., 11) with invalid TOTP codes to the login API endpoint.
- Query the user account status in the database to verify if it has changed to 'Account Locked'.
- Attempt a login with a valid TOTP code after the failed attempts to confirm if the account is locked and login is rejected.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where the vulnerability is fixed.
The fix involves modifying the TOTP failed-attempt lockout mechanism to use an independent database session for persisting the account lockout status, ensuring that lockout updates are committed and not rolled back.
Until the upgrade is applied, consider implementing additional monitoring and rate limiting on TOTP authentication attempts, and be vigilant for signs of brute-force attacks.