CVE-2026-33668: Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-33668

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Source: NVD (National Vulnerability Database)

Vulnerability Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Vikunja 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 0.18.0至2.2.1之前版本存在安全漏洞，该漏洞源于部分认证路径未验证用户状态，可能导致已禁用或锁定用户继续访问API。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
go-vikunja	vikunja	>= 0.18.0, < 2.2.1	-

II. Public POCs for CVE-2026-33668

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-33668

Please Login to view more intelligence information

https://vikunja.io/changelog/vikunja-v2.2.2-was-releasedx_refsource_MISC
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1bx_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0ex_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-33668

IV. Related Vulnerabilities

Same product: vikunja

Same vendor: go-vikunja

Same weakness: CWE-285

V. Comments for CVE-2026-33668

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-33668

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-33668

III. Intelligence Information for CVE-2026-33668

IV. Related Vulnerabilities

V. Comments for CVE-2026-33668

Leave a comment