CVE-2026-27575
Published: 25 February 2026
Summary
CVE-2026-27575 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Vikunja Vikunja. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires sufficient strength of mechanism for passwords and procedures for revoking authenticators, directly addressing both weak password allowance and persistent sessions after password changes.
Mandates termination of user sessions upon organization-defined trigger events like password changes, preventing attacker persistence even after victim resets password.
Locks accounts after unsuccessful logon attempts, mitigating brute-force and credential stuffing exploits enabled by weak passwords.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak password enforcement directly enables brute-force/password guessing and credential stuffing (T1110 and sub-techniques); persistent sessions after password change enable ongoing use of compromised valid accounts (T1078).
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An…
more
attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
Deeper analysisAI
CVE-2026-27575 affects Vikunja, an open-source self-hosted task management platform, in versions prior to 2.0.0. The vulnerability combines two issues: the lack of enforcement for minimum password strength requirements, allowing users to set weak passwords such as "1234" or "password," and the persistence of active sessions even after a user changes their password. Rated at CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and linked to CWE-521 (Weak Password Requirements) and CWE-613 (Insufficient Session Expiration), it enables unauthorized account access without requiring privileges or user interaction.
An unauthenticated attacker can exploit this over the network with low complexity by compromising an account through brute-force attacks or credential stuffing on weak passwords. Once access is gained, the attacker maintains persistent access via the unchanged session, even if the legitimate user resets their password, potentially leading to high confidentiality and integrity impacts such as data exfiltration, task manipulation, or further lateral movement within the self-hosted environment.
The GitHub security advisory (GHSA-3ccg-x393-96v8) and Vikunja changelog for version 2.0.0 detail the fix, which addresses both password strength enforcement and session invalidation on password changes. Security practitioners should upgrade to Vikunja 2.0.0 or later and audit existing user passwords for weakness, implementing additional controls like rate limiting and multi-factor authentication where possible.
Details
- CWE(s)