{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.900Z", "datePublished": "2026-03-20T14:39:59.035Z", "dateUpdated": "2026-03-20T17:15:23.140Z"}, "containers": {"cna": {"title": "Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx"}, {"name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"version": ">= 0.8, < 2.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T14:41:43.568Z"}, "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue."}], "source": {"advisory": "GHSA-m547-hp4w-j6jx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T17:14:20.354665Z", "id": "CVE-2026-29794", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:15:23.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29794", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T17:14:20.354665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:15:18.020Z"}}], "cna": {"title": "Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers", "source": {"advisory": "GHSA-m547-hp4w-j6jx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-vikunja", "product": "vikunja", "versions": [{"status": "affected", "version": ">= 0.8, < 2.2.0"}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx", "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "name": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T14:41:43.568Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29794", "state": "PUBLISHED", "dateUpdated": "2026-03-20T17:15:23.140Z", "dateReserved": "2026-03-04T16:26:02.900Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T14:39:59.035Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F4BEFD9-23A0-4330-B595-2942F3550AF0", "versionEndExcluding": "2.2.0", "versionStartIncluding": "0.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue."}], "id": "CVE-2026-29794", "lastModified": "2026-03-24T21:18:04.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T15:16:16.393", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.8,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vikunja", "source": "cna", "vendor": "go-vikunja"}, "product": "vikunja", "vendor": "go-vikunja"}], "analysis": {"en": {"generated_at": "2026-03-24T22:25:59.445904+00:00", "value": {"mitigation_remediation": ["Upgrade Vikunja to version 2.2.0 or later to receive the vendor patch.", "If an upgrade is not possible, configure your reverse proxy or load balancer to reject or sanitize X-Forwarded-For and X-Real-IP headers from untrusted sources.", "Apply an additional layer of rate limiting on unauthenticated endpoints at the network or application level to cap request rates."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted request flooding for unauthenticated users"}, "threat_synthesis": {"affected_systems": "All Vikunja installations from version 0.8 up through the patch release 2.1.x are affected. The vendor is Vikunja, an open\u2011source self\u2011hosted task management platform. The vulnerable component is the rate\u2011limit middleware that relies on the echo.Context RealIP field to enforce request quotas.", "description_and_impact": "The vulnerability in Vikunja enables an unauthenticated attacker to bypass the application\u2019s built\u2011in rate limit by sending spoofed X-Forwarded-For or X-Real-IP headers. The rate\u2011limiting logic mistakenly trusts these headers as the client IP, allowing the attacker to issue an unlimited number of requests. This flaw can be exploited to perform brute\u2011force scans of usernames or passwords, and to overload the server with excessive traffic. The weakness is a classic example of unvalidated user input that leads to uncontrolled request handling.", "risk_and_exploitability": "With a CVSS score of 5.3, the issue is classified as medium severity, and the EPSS score is below 1%, indicating a low likelihood of active exploitation. It is not included in the CISA KEV catalog. The attack vector is remote and requires no authentication; the attacker merely crafts HTTP requests with spoofed IP headers. If the application is exposed to the Internet, this can lead to denial\u2011of\u2011service or credential\u2011guessing attacks."}}}}, "created": "2026-03-20T16:27:12.432786+00:00", "updated": "2026-03-25T14:29:22.397593+00:00", "vendors": ["go-vikunja", "go-vikunja$PRODUCT$vikunja"]}