CVE-2026-34727
Published: 10 April 2026
Summary
CVE-2026-34727 is a high-severity Improper Authentication (CWE-287) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires robust identification and authentication for organizational users, including enforcement of multi-factor authentication like TOTP to prevent bypass during OIDC email fallback matching.
Mandates proper management and enforcement of authenticators such as TOTP, ensuring they are not skipped in authentication flows like Vikunja's OIDC callback handler.
Directly addresses remediation of the specific authentication flaw in Vikunja prior to version 2.3.0 by requiring timely identification, reporting, and correction of such vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing OIDC handler directly enables exploitation of the app (T1190) to bypass 2FA and obtain a JWT application access token for unauthorized access (T1550.001).
NVD Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched…
more
via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.
Deeper analysisAI
CVE-2026-34727 is an improper authentication vulnerability (CWE-287) in Vikunja, an open-source self-hosted task management platform. In versions prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. This allows the second factor to be completely skipped when a local user with TOTP enrolled is matched via the OIDC email fallback mechanism.
The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network accessibility, high attack complexity, no required privileges or user interaction, and high impacts on confidentiality and integrity. An unauthenticated attacker can exploit it by using the OIDC email fallback to match and impersonate a TOTP-enabled local user, bypassing 2FA to obtain a full JWT token and gain unauthorized access to the victim's account, tasks, and associated data.
The GitHub security advisory (GHSA-8jvc-mcx6-r4cg) states that the vulnerability is fixed in Vikunja version 2.3.0. Administrators should upgrade to 2.3.0 or later to mitigate the issue.
Details
- CWE(s)