CVE-2026-28268
Published: 27 February 2026
Summary
CVE-2026-28268 is a critical-severity Incomplete Cleanup (CWE-459) vulnerability in Vikunja Vikunja. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires proper management, protection, and invalidation of temporary authenticators like password reset tokens to prevent their indefinite reuse.
Establishes processes for timely remediation of identified flaws, such as patching the token invalidation and cleanup cron job bugs in Vikunja to version 2.1.0.
Mandates notification of account changes including password resets, enabling detection of unauthorized takeovers from reused reset tokens.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing password reset API enables remote exploitation (T1190) leading to indefinite token reuse for account takeover and subsequent use of valid accounts (T1078).
NVD Description
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate…
more
tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
Deeper analysisAI
CVE-2026-28268 is a business logic vulnerability in the password reset mechanism of Vikunja, an open-source self-hosted task management platform. Specifically, it affects the vikunja/api component in versions prior to 2.1.0. The flaw stems from a failure to invalidate password reset tokens upon use, combined with a critical logic bug in the token cleanup cron job, which causes tokens to remain valid indefinitely. This issue is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-459 (Incomplete Cleanup) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
The vulnerability can be exploited by any remote attacker with no privileges who obtains a single password reset token, such as through interception via server logs, browser history, or phishing attacks. Once in possession of the token, the attacker can reuse it indefinitely to reset the victim's password, achieving complete and persistent account takeover at any future time and bypassing standard authentication controls.
Vikunja version 2.1.0 addresses the issue with a patch, as detailed in the project's GitHub commit (5c2195f9fca9ad208477e865e6009c37889f87b2), security advisory (GHSA-rfjg-6m84-crj2), and changelog for v2.1.0. Security practitioners should upgrade to version 2.1.0 or later and review logs for evidence of token interception.
Details
- CWE(s)