{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28268", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.732Z", "datePublished": "2026-02-27T20:16:29.842Z", "dateUpdated": "2026-03-03T20:26:53.644Z"}, "containers": {"cna": {"title": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse", "problemTypes": [{"descriptions": [{"cweId": "CWE-459", "lang": "en", "description": "CWE-459: Incomplete Cleanup", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-640", "lang": "en", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"}, {"name": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"}, {"name": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": "< 2.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:16:29.842Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-rfjg-6m84-crj2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:26:41.313436Z", "id": "CVE-2026-28268", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:26:53.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T20:26:41.313436Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:26:48.321Z"}}], "cna": {"title": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse", "source": {"advisory": "GHSA-rfjg-6m84-crj2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": "< 2.1.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2", "name": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2", "tags": ["x_refsource_MISC"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-459", "description": "CWE-459: Incomplete Cleanup"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-27T20:16:29.842Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28268", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:26:53.644Z", "dateReserved": "2026-02-26T01:52:58.732Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-27T20:16:29.842Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F4164A9-6656-425E-81AF-BC892E137C82", "versionEndExcluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. En las versiones anteriores a la 2.1.0, existe una vulnerabilidad de l\u00f3gica de negocio en el mecanismo de restablecimiento de contrase\u00f1a de vikunja/API que permite que los tokens de restablecimiento de contrase\u00f1a sean reutilizados indefinidamente. Debido a un fallo en la invalidaci\u00f3n de tokens tras su uso y a un error de l\u00f3gica cr\u00edtico en el trabajo cron de limpieza de tokens, los tokens de restablecimiento permanecen v\u00e1lidos para siempre. Esto permite a un atacante que intercepta un \u00fanico token de restablecimiento (a trav\u00e9s de registros, historial del navegador o phishing) realizar una toma de control de cuenta completa y persistente en cualquier momento en el futuro, eludiendo los controles de autenticaci\u00f3n est\u00e1ndar. La versi\u00f3n 2.1.0 contiene un parche para el problema."}], "id": "CVE-2026-28268", "lastModified": "2026-03-06T21:03:09.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-27T21:16:18.233", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-459"}, {"lang": "en", "value": "CWE-640"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-640"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-04-17T13:55:39.915677+00:00", "value": {"mitigation_remediation": ["Upgrade to Vikunja\u00a02.1.0 or later, which invalidates password reset tokens when used.", "Disable or restrict the password reset feature on affected installations until the patch can be applied to eliminate the possibility of token reuse.", "Clear any stored reset tokens from logs, browser history, or other repositories, and rotate relevant cryptographic secrets if possible to invalidate any leaked tokens."], "summary": {"action": "Immediate Patch", "impact": "Account takeover"}, "threat_synthesis": {"affected_systems": "All installations of Vikunja before version 2.1.0 are affected. The issue was fixed in release 2.1.0, so any instance still running an older version is at risk.", "description_and_impact": "Vikunja, an open\u2011source self\u2011hosted task management platform, has a business logic flaw that allows password reset tokens to be reused indefinitely. The system fails to invalidate used tokens and the cleanup cron job never removes them, so once a token is issued it remains valid forever. An attacker who obtains any single reset token\u2014by reading server logs, inspecting browser history, or phishing\u2014can later use that token at any time to log in as the designated user. This results in complete, persistent account takeover and bypasses all standard authentication controls.", "risk_and_exploitability": "The CVSS score of 9.8 reflects a severe impact. The EPSS score of less than 1% indicates a currently low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is the password reset flow, requiring only possession of a valid token\u2014a token that can be extracted from logs, browser history, or through phishing. Once in possession of such a token, the attacker can complete the takeover at any future point, highlighting a high exploitation potential if the token is compromised."}}}}, "created": "2026-03-02T12:04:59.363931+00:00", "updated": "2026-04-17T14:00:15.811201+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}