Weak Password Enforcement in Vikunja Task Management Platform
CVE-2026-27575

9.1CRITICAL

Key Information:

Vendor: Go-vikunja
Status: Vikunja
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27575?

Vikunja, an open-source self-hosted task management tool, presents a security risk due to its lack of stringent password strength requirements, allowing users to set easily guessable passwords. Furthermore, when users change their passwords, active sessions continue to be valid, enabling attackers who have compromised an account to maintain access even after the victims have reset their passwords. This vulnerability underscores the critical importance of robust password policies and session management. Users are encouraged to update to version 2.0.0, which addresses these issues.

Affected Version(s)

vikunja < 2.0.0

References

https://github.com/go-vikunja/vikunja/security/advisories...

x_refsource_CONFIRM

https://vikunja.io/changelog/vikunja-v2.0.0-was-released

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27575 Data

JSON

Go-vikunja

What is CVE-2026-27575?

Affected Version(s)

References

CVSS V3.1

Timeline