Description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The `ResetPassword()` function sets the user’s status to `StatusActive` after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through `/api/v1/user/password/token` and completing the reset via `/api/v1/user/password/reset`, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.

INFO

Published Date :

2026-03-24T14:59:17.242Z

Last Modified :

2026-03-26T13:08:08.138Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33316 vulnerability.

Vendors Products
Go-vikunja
  • Vikunja
Vikunja
  • Vikunja
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33316.

URL Resource
https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d cve-icon cve-icon
https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb cve-icon cve-icon
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767 cve-icon cve-icon
https://vikunja.io/changelog/vikunja-v2.2.0-was-released cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact