Two-Factor Authentication Vulnerability in Vikunja Task Management Platform by Vikunja
CVE-2026-33473

5.7MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33473?

Vikunja, the open-source self-hosted task management platform, has a vulnerability allowing users with two-factor authentication (2FA) enabled to reuse their Time-based One-Time Passwords (TOTPs) within the standard 30-second validity window. This could allow unauthorized actions by an attacker if they gain access to a user's TOTP during this timeframe. Users are advised to upgrade to version 2.2.1 or later to mitigate this risk.

Affected Version(s)

vikunja >= 0.13, < 2.2.1

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://vikunja.io/changelog/vikunja-v2.2.0-was-released
x_refsource_MISC
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.