Cyber Resilience

CVE-2026-27575

CriticalPublic PoC

Published: 25 February 2026

Published
25 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0043 34.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27575 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Vikunja Vikunja. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-27575 affects Vikunja, an open-source self-hosted task management platform, in versions prior to 2.0.0. The vulnerability combines two issues: the lack of enforcement for minimum password strength requirements, allowing users to set weak passwords such as "1234" or "password," and the persistence of active sessions even after a user changes their password. Rated at CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and linked to CWE-521 (Weak Password Requirements) and CWE-613 (Insufficient Session Expiration), it enables unauthorized account access without requiring privileges or user interaction.

An unauthenticated attacker can exploit this over the network with low complexity by compromising an account through brute-force attacks or credential stuffing on weak passwords. Once access is gained, the attacker maintains persistent access via the unchanged session, even if the legitimate user resets their password, potentially leading to high confidentiality and integrity impacts such as data exfiltration, task manipulation, or further lateral movement within the self-hosted environment.

The GitHub security advisory (GHSA-3ccg-x393-96v8) and Vikunja changelog for version 2.0.0 detail the fix, which addresses both password strength enforcement and session invalidation on password changes. Security practitioners should upgrade to Vikunja 2.0.0 or later and audit existing user passwords for weakness, implementing additional controls like rate limiting and multi-factor authentication where possible.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An…

more

attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
T1110.004 Credential Stuffing Credential Access
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Weak password enforcement directly enables brute-force/password guessing and credential stuffing (T1110 and sub-techniques); persistent sessions after password change enable ongoing use of compromised valid accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35597Same product: Vikunja Vikunja
CVE-2026-28268Same product: Vikunja Vikunja
CVE-2026-33316Same product: Vikunja Vikunja
CVE-2026-33680Same product: Vikunja Vikunja
CVE-2026-33668Same product: Vikunja Vikunja
CVE-2026-27616Same product: Vikunja Vikunja
CVE-2026-33334Same product: Vikunja Vikunja
CVE-2026-27819Same product: Vikunja Vikunja
CVE-2026-33679Same product: Vikunja Vikunja
CVE-2026-35602Same product: Vikunja Vikunja

Affected Assets

vikunja
vikunja
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires sufficient strength of mechanism for passwords and procedures for revoking authenticators, directly addressing both weak password allowance and persistent sessions after password changes.

prevent

Mandates termination of user sessions upon organization-defined trigger events like password changes, preventing attacker persistence even after victim resets password.

prevent

Locks accounts after unsuccessful logon attempts, mitigating brute-force and credential stuffing exploits enabled by weak passwords.

References