CVE-2026-33316 in go-vikunja vikunja情報

要約 (英語)

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.

責任者

GitHub_M

予約する

2026年03月18日

公開

2026年03月24日

エントリ

VulDB provides additional information and datapoints for this CVE:

識別子脆弱性CWE悪用可対策CVE
352793go-vikunja Password Reset token ResetPassword 特権昇格284未定義公式な修正CVE-2026-33316

説明

CPE

CWE

CVSS

エクスプロイト

履歴

差分

リンクする

脅威インテリジェンス

API JSON

API XML

API CSV

概要

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!