Cyber Resilience

CVE-2026-29794

MediumPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0012 31.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29794 is a medium-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Vikunja Vikunja. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on…

more

the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Rate limit bypass via header spoofing directly enables unlimited brute force attempts (T1110) against authentication endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

vikunja
vikunja
0.8 — 2.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-807

Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.

addresses: CWE-807

Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.

addresses: CWE-807

Reduces reliance on untrusted inputs by ensuring only authorized sources may supply data.

References