Vikunja, an open-source self-hosted task management platform, prior to version 2.0.0 suffers from weak password enforcement (CWE-521) and session management flaws (CWE-613). The platform does not enforce minimum password complexity, allowing users to set easily guessable passwords such as '1234' or 'password'. This weakness facilitates brute-force and credential stuffing attacks, enabling unauthorized access to user accounts. Furthermore, the application fails to invalidate active sessions upon password changes, allowing attackers who have compromised an account to maintain persistent access even after the victim resets their password. The vulnerability has a CVSS 3.1 score of 9.1 (critical), reflecting its high impact on confidentiality and integrity with network attack vector, no privileges or user interaction required, and unchanged scope. Although no known exploits are reported in the wild yet, the combination of weak password policies and session persistence significantly increases the risk of account compromise and unauthorized data access. The issue is resolved in Vikunja version 2.0.0, which enforces stronger password requirements and invalidates active sessions upon password changes.

This vulnerability poses a severe risk to organizations using Vikunja versions prior to 2.0.0. Attackers can exploit weak password policies to gain unauthorized access through brute-force or credential stuffing attacks. Once access is obtained, the failure to invalidate active sessions after password changes allows attackers to maintain persistent access, bypassing user attempts to secure their accounts. This can lead to unauthorized disclosure of sensitive task management data, manipulation or deletion of tasks, and potential lateral movement within an organization's network if Vikunja is integrated with other systems. The confidentiality and integrity of organizational data are at high risk, potentially resulting in operational disruption, loss of trust, and compliance violations. Since Vikunja is self-hosted, the impact depends on the security posture of the hosting environment, but the vulnerability significantly lowers the barrier for attackers to compromise accounts.

Organizations should immediately upgrade Vikunja to version 2.0.0 or later to benefit from enforced strong password policies and session invalidation upon password changes. Until upgrading, administrators should enforce strong password policies manually, such as requiring minimum length, complexity, and prohibiting common passwords. Implement rate limiting and account lockout mechanisms to mitigate brute-force attacks. Monitor authentication logs for suspicious login attempts and unusual session activity. Encourage users to enable multi-factor authentication (MFA) if supported by Vikunja or the hosting environment to add an additional layer of security. Regularly audit active sessions and forcibly terminate sessions when suspicious activity is detected or after password resets. Network segmentation and limiting Vikunja access to trusted IP ranges can reduce exposure. Finally, educate users about the risks of weak passwords and credential reuse.