CVE-2026-33315
MEDIUMVikunja <2.2.0 CalDAV Basic Auth - Two-Factor Authentication Bypass
Title source: manualDescription
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq
X_Refsource_Misc x_refsource_misc
https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615
X_Refsource_Misc x_refsource_misc
https://vikunja.io/changelog/vikunja-v2.2.0-was-released
Scores
CVSS v3
4.3
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-288
Status
published
Products (3)
code.vikunja.io/api
0Go
go-vikunja/vikunja
< 2.2.0
vikunja/vikunja
< 2.2.0
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026