CVE-2026-33316
Published: 24 March 2026
Summary
CVE-2026-33316 is a high-severity Improper Access Control (CWE-284) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires comprehensive account management, including disabling accounts and preventing unauthorized reactivation via password reset mechanisms without status verification.
SI-2 mandates timely flaw remediation, directly addressing the password reset logic error by requiring patches like Vikunja version 2.2.0 that add account status checks.
AC-3 enforces approved access authorizations, mitigating unauthorized access by ensuring password reset functions respect disabled account status.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Vikunja web app password reset logic directly enables exploitation via API endpoints (T1190) to bypass disabled account status and regain access to a previously valid low-privilege account (T1078).
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful…
more
password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
Deeper analysisAI
CVE-2026-33316 is a vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.2.0. The issue resides in the password reset logic, specifically the `ResetPassword()` function, which automatically sets a user's status to `StatusActive` upon a successful reset without checking if the account was previously disabled. This flaw, tied to CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization), enables disabled users to bypass administrator-imposed restrictions. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
An attacker who previously had a low-privilege account that was subsequently disabled by an administrator can exploit this by first requesting a password reset token via the `/api/v1/user/password/token` endpoint, then completing the reset through `/api/v1/user/password/reset`. This process reactivates the account without authorization checks, granting the attacker full access to their previous account resources and potentially enabling further actions within the Vikunja instance.
Vikunja version 2.2.0 addresses the issue with a patch, as detailed in the project's security advisory (GHSA-vq4q-79hh-q767) and changelog. Relevant fixes appear in GitHub commits 049f4a6be46f9460bd516f489ef9f569574bc70d and d8570c603da1f26635ce6048d6af85ede827abfb, which presumably add the necessary status verification before reactivation. Security practitioners should upgrade to 2.2.0 or later and review access controls around password reset mechanisms.
Details
- CWE(s)