CVE-2026-33668 in vikunja
Summary
by MITRE • 03/24/2026
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33668 affects Vikunja, an open-source self-hosted task management platform that provides comprehensive project and task organization capabilities for individuals and teams. This security flaw represents a critical authorization bypass issue that undermines the platform's user access control mechanisms. The vulnerability exists in versions 0.18.0 through 2.2.0, where the system fails to properly enforce user account status checks across all authentication pathways, creating a significant security gap in the platform's access control architecture. The issue manifests specifically when user accounts are disabled or locked through administrative actions, which should prevent further access to the system resources.
The technical flaw resides in the authentication validation logic where the system implements inconsistent user status verification across different authentication methods. While local login and JWT token refresh operations correctly check whether a user account is disabled or locked, three additional authentication mechanisms fail to perform these status checks. These unprotected paths include API token authentication, CalDAV basic authentication, and OpenID Connect integration. The vulnerability stems from a missing validation step in the authentication middleware where user account status is not consistently enforced, allowing disabled or locked users to maintain access to system resources through these alternative authentication channels. This represents a classic case of incomplete input validation and access control enforcement that falls under CWE-639 Access Control Bypass.
The operational impact of this vulnerability is substantial as it enables unauthorized access to task management data even after administrative actions have been taken to disable or lock user accounts. An attacker who gains access to a disabled user's API token, CalDAV credentials, or OpenID Connect session can continue to access, modify, or delete task data, potentially leading to data integrity compromises and unauthorized operations within the platform. The vulnerability affects all users who have been disabled or locked out of the system, creating a persistent security risk that could be exploited for extended periods. This issue particularly impacts organizations that rely on Vikunja for sensitive project management and task tracking, as it undermines the administrative controls meant to prevent unauthorized access. The vulnerability also creates potential for data exfiltration and manipulation, as disabled users can continue to sync data through CalDAV connections and access API endpoints with their valid tokens.
Organizations using Vikunja should immediately implement mitigation strategies to address this vulnerability, starting with upgrading to version 2.2.1 or later where the issue has been patched. System administrators should conduct immediate audits of all user accounts to identify any potentially compromised sessions and revoke access tokens for disabled or locked users. The implementation of additional monitoring and alerting mechanisms around authentication events can help detect suspicious activity related to disabled user accounts attempting to access the system through alternative paths. Security teams should also review their access control policies and ensure that proper account lifecycle management procedures are in place, including automatic token invalidation when accounts are disabled. This vulnerability highlights the importance of comprehensive access control validation and demonstrates how partial implementation of security controls can create dangerous gaps in system protection. The fix implemented in version 2.2.1 ensures that all authentication paths consistently validate user account status, aligning with best practices for secure authentication implementation and addressing the specific weakness identified in the ATT&CK framework under privilege escalation and credential access techniques.