CVE-2026-35597
Received Received - Intake
Transaction Handling Bug in Vikunja TOTP Enables Unlimited Brute-Force

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in pkg/user/totp.go uses an in-memory counter (key-value store) to track failed attempts. When the counter reaches 10, it calls user.SetStatus(s, StatusAccountLocked) on the same database session s. Because the login handler always rolls back after a TOTP failure, the StatusAccountLocked write is undone. The in-memory counter correctly increments past 10, so the lockout code executes on every subsequent attempt, but the database write is rolled back every time. This allows unlimited brute-force attempts against TOTP codes. This vulnerability is fixed in 2.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35597
EUVD
EUVD-2026-21422
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vikunja vikunja to 2.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Vikunja's TOTP lockout mechanism allows unlimited brute-force attempts against two-factor authentication codes after a password compromise. This weakness can lead to unauthorized access to user accounts despite the presence of two-factor authentication, thereby increasing the risk of data breaches.

Such unauthorized access risks can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data, including strong authentication mechanisms and protection against unauthorized access.

Because the vulnerability allows bypassing of two-factor authentication lockout protections, it undermines the effectiveness of access controls and may lead to violations of confidentiality requirements mandated by these regulations.

Executive Summary

CVE-2026-35597 is a moderate severity vulnerability in the Vikunja open-source task management platform affecting versions prior to 2.3.0. The issue lies in the Time-based One-Time Password (TOTP) authentication lockout mechanism, which is supposed to lock a user account after 10 failed TOTP attempts. However, due to a database transaction handling bug, the lockout status update is rolled back and never persisted in the database.

Specifically, when a TOTP validation fails, an in-memory counter increments failed attempts and attempts to set the user status to 'Account Locked' in the database. But the login handler always rolls back the database session after failure, undoing the lockout status update. This means the account never actually locks, allowing unlimited brute-force attempts against TOTP codes.

The vulnerability allows attackers who have obtained a user's password to bypass the two-factor authentication by brute-forcing the 6-digit TOTP codes without triggering account lockout. The flaw was fixed in version 2.3.0 by isolating the lockout update in its own committed database transaction.

Impact Analysis

This vulnerability can significantly impact the security of your Vikunja deployment by allowing attackers to bypass the intended TOTP two-factor authentication protection.

  • An attacker who has obtained a user's password (through phishing, credential stuffing, or data breaches) can brute-force the 6-digit TOTP codes without triggering account lockout.
  • Unlimited brute-force attempts are possible because the account lockout status is never persisted due to the rollback bug.
  • Attackers can circumvent per-IP rate limiting by using multiple IP addresses to parallelize brute-force attempts.
  • This can lead to unauthorized access to user accounts despite two-factor authentication being enabled.
Detection Guidance

This vulnerability can be detected by monitoring for unlimited failed TOTP authentication attempts without triggering account lockout, which indicates the lockout mechanism is not functioning correctly.

A practical approach to detection is to simulate multiple failed login attempts with invalid TOTP codes and observe whether the user account status changes to locked in the database after exceeding 10 failed attempts.

For example, you can perform repeated POST requests to the login endpoint with valid username and password but invalid TOTP codes, then query the database to check if the account status is updated to 'Account Locked'.

  • Send multiple failed login attempts (e.g., 11) with invalid TOTP codes to the login API endpoint.
  • Query the user account status in the database to verify if it has changed to 'Account Locked'.
  • Attempt a login with a valid TOTP code after the failed attempts to confirm if the account is locked and login is rejected.
Mitigation Strategies

The immediate mitigation step is to upgrade Vikunja to version 2.3.0 or later, where the vulnerability is fixed.

The fix involves modifying the TOTP failed-attempt lockout mechanism to use an independent database session for persisting the account lockout status, ensuring that lockout updates are committed and not rolled back.

Until the upgrade is applied, consider implementing additional monitoring and rate limiting on TOTP authentication attempts, and be vigilant for signs of brute-force attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35597. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart