Cyber Resilience

CVE-2026-34727

HighPublic PoC

Published: 10 April 2026

Published
10 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0028 19.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34727 is a high-severity Improper Authentication (CWE-287) vulnerability in Vikunja Vikunja. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-34727 is an improper authentication vulnerability (CWE-287) in Vikunja, an open-source self-hosted task management platform. In versions prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. This allows the second factor to be completely skipped when a local user with TOTP enrolled is matched via the OIDC email fallback mechanism.

The vulnerability carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network accessibility, high attack complexity, no required privileges or user interaction, and high impacts on confidentiality and integrity. An unauthenticated attacker can exploit it by using the OIDC email fallback to match and impersonate a TOTP-enabled local user, bypassing 2FA to obtain a full JWT token and gain unauthorized access to the victim's account, tasks, and associated data.

The GitHub security advisory (GHSA-8jvc-mcx6-r4cg) states that the vulnerability is fixed in Vikunja version 2.3.0. Administrators should upgrade to 2.3.0 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched…

more

via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Vulnerability in public-facing OIDC handler directly enables exploitation of the app (T1190) to bypass 2FA and obtain a JWT application access token for unauthorized access (T1550.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33316Same product: Vikunja Vikunja
CVE-2026-33668Same product: Vikunja Vikunja
CVE-2026-28268Same product: Vikunja Vikunja
CVE-2026-33678Same product: Vikunja Vikunja
CVE-2026-27819Same product: Vikunja Vikunja
CVE-2026-27575Same product: Vikunja Vikunja
CVE-2026-27616Same product: Vikunja Vikunja
CVE-2026-33335Same product: Vikunja Vikunja
CVE-2026-33334Same product: Vikunja Vikunja
CVE-2026-35595Same product: Vikunja Vikunja

Affected Assets

vikunja
vikunja
≤ 2.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires robust identification and authentication for organizational users, including enforcement of multi-factor authentication like TOTP to prevent bypass during OIDC email fallback matching.

prevent

Mandates proper management and enforcement of authenticators such as TOTP, ensuring they are not skipped in authentication flows like Vikunja's OIDC callback handler.

prevent

Directly addresses remediation of the specific authentication flaw in Vikunja prior to version 2.3.0 by requiring timely identification, reporting, and correction of such vulnerabilities.

References