Brute Force Vulnerability in Vikunja Task Management Platform
CVE-2026-35597

5.9MEDIUM

Key Information:

Vendor

Go-vikunja

Status
Vikunja
Vendor
CVE Published:
10 April 2026

What is CVE-2026-35597?

Vikunja, the open-source self-hosted task management platform, has a vulnerability related to its Time-based One-Time Password (TOTP) implementation. Prior to version 2.3.0, a bug in the database transaction handling mechanism allowed attackers to exploit the failed-attempt lockout feature. When TOTP validation failed, the system was designed to lock a user account after 10 failed attempts. However, due to an unconditional rollback in the database transaction that occurred after each failed attempt, the lockout status was never successfully written to the database. As a result, attackers could continuously attempt to guess the TOTP codes without facing any account lockout, enabling unlimited brute-force attempts. This vulnerability was addressed in version 2.3.0, reinforcing the security of the TOTP authentication process.

Affected Version(s)

vikunja < 2.3.0

References

https://github.com/go-vikunja/vikunja/security/advisories...
x_refsource_CONFIRM
https://github.com/go-vikunja/vikunja/pull/2576
x_refsource_MISC
https://github.com/go-vikunja/vikunja/commit/6ca0151d02fa...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.