CVE-2026-27575 identifies a critical security weakness in go-vikunja's vikunja task management platform prior to version 2.0.0. The vulnerability stems from two main issues: first, the application does not enforce strong password requirements, allowing users to set easily guessable passwords such as '1234' or 'password'. This weakness (CWE-521) significantly lowers the barrier for attackers to gain unauthorized access through brute-force or credential stuffing attacks. Second, the platform fails to invalidate active sessions after a user changes their password (CWE-613). This means that if an attacker compromises an account, they can maintain persistent access even after the legitimate user resets their password, bypassing a common remediation step. The vulnerability has a CVSS 3.1 base score of 9.1, reflecting its critical nature due to network exploitability without authentication or user interaction, and its high impact on confidentiality and integrity. Although no known exploits are currently reported in the wild, the combination of weak password enforcement and session persistence presents a significant risk. The issue was addressed in version 2.0.0 of vikunja, which enforces stronger password policies and invalidates active sessions upon password changes. Organizations running versions earlier than 2.0.0 should prioritize upgrading to mitigate this risk.

The vulnerability allows attackers to compromise user accounts through weak passwords, increasing the likelihood of unauthorized access via brute-force or credential stuffing attacks. Once an account is compromised, the attacker can maintain persistent access due to the failure to invalidate active sessions after password changes. This undermines the confidentiality and integrity of user data and task management information stored within vikunja. For organizations, this could lead to unauthorized data exposure, manipulation of task assignments, and potential disruption of workflows. Since vikunja is often self-hosted, organizations may have varying levels of security maturity, increasing the risk of exploitation. The critical CVSS score indicates a high potential for damage, especially in environments where sensitive or proprietary information is managed. The lack of user interaction and network-based attack vector means attackers can exploit this remotely and automatically, increasing the threat surface. Persistent access post-password reset complicates incident response and recovery efforts.

1. Upgrade all instances of vikunja to version 2.0.0 or later immediately to apply the official fix addressing weak password enforcement and session invalidation. 2. Implement additional password policies at the organizational level, such as enforcing complexity, minimum length, and prohibiting commonly used passwords, even if the application does not enforce them. 3. Configure monitoring and alerting for multiple failed login attempts to detect brute-force or credential stuffing attacks early. 4. Implement multi-factor authentication (MFA) to add an additional layer of security beyond passwords. 5. Review and enhance session management policies, including reducing session lifetimes and ensuring sessions are invalidated upon password changes or suspicious activities. 6. Educate users about the risks of weak passwords and the importance of password hygiene. 7. Regularly audit user accounts and active sessions to detect unauthorized access. 8. Consider network-level protections such as IP blacklisting or rate limiting login attempts to reduce brute-force attack feasibility.