CVE-2026-33668
Published: 24 March 2026
Summary
CVE-2026-33668 is a high-severity Improper Authorization (CWE-285) vulnerability in Vikunja Vikunja. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires the system to enforce approved authorizations, including user account status checks, across all authentication paths like API tokens, CalDAV, and OpenID Connect to prevent unauthorized access by disabled accounts.
Mandates identification, management, and disabling of accounts to ensure revocation of access upon account lockout or disablement in self-hosted task management platforms.
Requires management and disabling of authenticators such as API tokens and basic auth credentials when associated user accounts are disabled or locked.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Vikunja web application enables exploitation of improper authorization (T1190), allowing continued unauthorized API access and data sync with valid but disabled accounts (T1078).
NVD Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths.…
more
Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
Deeper analysisAI
CVE-2026-33668 is a high-severity vulnerability (CVSS 8.1, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) affecting Vikunja, an open-source self-hosted task management platform, in versions starting from 0.18.0 and prior to 2.2.1. It involves improper authorization (CWE-285, CWE-863) where user account status checks for disabled or locked accounts are only enforced on local login and JWT token refresh paths. The API tokens, CalDAV basic auth, and OpenID Connect authentication paths fail to verify user status, enabling continued access to the API and data syncing despite account disablement.
Exploitation requires low privileges (PR:L), specifically an authenticated user whose account has been disabled or locked. Attackers can leverage this remotely over the network with low complexity and no user interaction, achieving high confidentiality and integrity impacts by maintaining unauthorized API access and data synchronization capabilities.
Vikunja version 2.2.1 addresses the issue with fixes detailed in multiple GitHub commits, including 033922309f492996c928122fb49b691339199c35, 04704e0fde4b027039cf583110cee7afe136fc1b, 0b04768d830c80e9fde1b0962db1499cc652da0e, and fd452b9cb6457fd4f9936527a14c359818f1cca7. Additional mitigation guidance is available in the GitHub security advisory GHSA-94xm-jj8x-3cr4.
Details
- CWE(s)