Cyber Resilience

CVE-2026-33316

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0036 28.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33316 is a high-severity Improper Access Control (CWE-284) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33316 is a vulnerability in Vikunja, an open-source self-hosted task management platform, affecting versions prior to 2.2.0. The issue resides in the password reset logic, specifically the `ResetPassword()` function, which automatically sets a user's status to `StatusActive` upon a successful reset without checking if the account was previously disabled. This flaw, tied to CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization), enables disabled users to bypass administrator-imposed restrictions. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.

An attacker who previously had a low-privilege account that was subsequently disabled by an administrator can exploit this by first requesting a password reset token via the `/api/v1/user/password/token` endpoint, then completing the reset through `/api/v1/user/password/reset`. This process reactivates the account without authorization checks, granting the attacker full access to their previous account resources and potentially enabling further actions within the Vikunja instance.

Vikunja version 2.2.0 addresses the issue with a patch, as detailed in the project's security advisory (GHSA-vq4q-79hh-q767) and changelog. Relevant fixes appear in GitHub commits 049f4a6be46f9460bd516f489ef9f569574bc70d and d8570c603da1f26635ce6048d6af85ede827abfb, which presumably add the necessary status verification before reactivation. Security practitioners should upgrade to 2.2.0 or later and review access controls around password reset mechanisms.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful…

more

password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability in public-facing Vikunja web app password reset logic directly enables exploitation via API endpoints (T1190) to bypass disabled account status and regain access to a previously valid low-privilege account (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33668Same product: Vikunja Vikunja
CVE-2026-28268Same product: Vikunja Vikunja
CVE-2026-34727Same product: Vikunja Vikunja
CVE-2026-33680Same product: Vikunja Vikunja
CVE-2026-33678Same product: Vikunja Vikunja
CVE-2026-27575Same product: Vikunja Vikunja
CVE-2026-27819Same product: Vikunja Vikunja
CVE-2026-35595Same product: Vikunja Vikunja
CVE-2026-33335Same product: Vikunja Vikunja
CVE-2026-35602Same product: Vikunja Vikunja

Affected Assets

vikunja
vikunja
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 requires comprehensive account management, including disabling accounts and preventing unauthorized reactivation via password reset mechanisms without status verification.

prevent

SI-2 mandates timely flaw remediation, directly addressing the password reset logic error by requiring patches like Vikunja version 2.2.0 that add account status checks.

prevent

AC-3 enforces approved access authorizations, mitigating unauthorized access by ensuring password reset functions respect disabled account status.

References