Description

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

INFO

Published Date :

2026-02-27T20:16:29.842Z

Last Modified :

2026-03-03T20:26:53.644Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28268 vulnerability.

Vendors Products
Go-vikunja
  • Vikunja
Vikunja
  • Vikunja
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28268.

URL Resource
https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2 cve-icon cve-icon
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2 cve-icon cve-icon
https://vikunja.io/changelog/vikunja-v2.1.0-was-released cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact