Business Logic Flaw in Vikunja Task Management Platform
CVE-2026-28268

9.8CRITICAL

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
27 February 2026

What is CVE-2026-28268?

Vikunja, an open-source self-hosted task management platform, contains a business logic vulnerability in its password reset mechanism. In versions before 2.1.0, the system allows password reset tokens to be reused indefinitely due to an oversight in token invalidation and a logic error in the token cleanup process. As a result, an attacker can exploit a single intercepted token—potentially acquired through logs, browser history, or phishing attacks—to gain persistent access to user accounts at any future time, circumventing standard authentication measures. This vulnerability poses a significant risk to user security until the proper patch was implemented in version 2.1.0.

Affected Version(s)

vikunja < 2.1.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9...
x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.1.0-was-released
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.