CVE-2026-33668

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

INFO

Published Date :

2026-03-24T15:30:27.159Z

Last Modified :

2026-03-26T19:52:13.977Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33668 vulnerability.

Vendors	Products
Go-vikunja	Vikunja
Vikunja	Vikunja

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33668.

URL	Resource
https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35
https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b
https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e
https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4
https://vikunja.io/changelog/vikunja-v2.2.2-was-released

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact