Cyber Resilience

CVE-2026-33668

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 36.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33668 is a high-severity Improper Authorization (CWE-285) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-33668 is a high-severity vulnerability (CVSS 8.1, AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) affecting Vikunja, an open-source self-hosted task management platform, in versions starting from 0.18.0 and prior to 2.2.1. It involves improper authorization (CWE-285, CWE-863) where user account status checks for disabled or locked accounts are only enforced on local login and JWT token refresh paths. The API tokens, CalDAV basic auth, and OpenID Connect authentication paths fail to verify user status, enabling continued access to the API and data syncing despite account disablement.

Exploitation requires low privileges (PR:L), specifically an authenticated user whose account has been disabled or locked. Attackers can leverage this remotely over the network with low complexity and no user interaction, achieving high confidentiality and integrity impacts by maintaining unauthorized API access and data synchronization capabilities.

Vikunja version 2.2.1 addresses the issue with fixes detailed in multiple GitHub commits, including 033922309f492996c928122fb49b691339199c35, 04704e0fde4b027039cf583110cee7afe136fc1b, 0b04768d830c80e9fde1b0962db1499cc652da0e, and fd452b9cb6457fd4f9936527a14c359818f1cca7. Additional mitigation guidance is available in the GitHub security advisory GHSA-94xm-jj8x-3cr4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths.…

more

Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Vulnerability in public-facing Vikunja web application enables exploitation of improper authorization (T1190), allowing continued unauthorized API access and data sync with valid but disabled accounts (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33316Same product: Vikunja Vikunja
CVE-2026-28268Same product: Vikunja Vikunja
CVE-2026-33680Same product: Vikunja Vikunja
CVE-2026-34727Same product: Vikunja Vikunja
CVE-2026-33678Same product: Vikunja Vikunja
CVE-2026-27575Same product: Vikunja Vikunja
CVE-2026-27819Same product: Vikunja Vikunja
CVE-2026-27616Same product: Vikunja Vikunja
CVE-2026-33335Same product: Vikunja Vikunja
CVE-2026-33334Same product: Vikunja Vikunja

Affected Assets

vikunja
vikunja
0.18.0 — 2.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires the system to enforce approved authorizations, including user account status checks, across all authentication paths like API tokens, CalDAV, and OpenID Connect to prevent unauthorized access by disabled accounts.

prevent

Mandates identification, management, and disabling of accounts to ensure revocation of access upon account lockout or disablement in self-hosted task management platforms.

prevent

Requires management and disabling of authenticators such as API tokens and basic auth credentials when associated user accounts are disabled or locked.

References