Vikunja is an open-source, self-hosted task management platform widely used for organizing tasks and projects. CVE-2026-28268 identifies a critical business logic vulnerability affecting versions prior to 2.1.0 in the password reset functionality of the vikunja/api component. The vulnerability arises because password reset tokens are not invalidated after their initial use, and the cron job responsible for cleaning up expired tokens contains a critical logic bug that prevents token expiration. Consequently, reset tokens remain valid indefinitely. An attacker who intercepts a reset token—via logs, browser history, phishing attacks, or other means—can reuse this token at any time to reset the victim's password and take over the account permanently. This bypasses all standard authentication controls and does not require any user interaction or privileges. The vulnerability is classified under CWE-459 (Incomplete Cleanup) and CWE-640 (Weak Password Recovery Mechanism). The CVSS v3.1 score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without authentication. No known exploits are reported in the wild yet, but the severity and simplicity of exploitation make this a significant threat. The issue is resolved in Vikunja version 2.1.0, which properly invalidates tokens after use and fixes the cleanup job.

The vulnerability allows attackers to perform persistent account takeovers by reusing intercepted password reset tokens indefinitely. This compromises user confidentiality by exposing account data, integrity by allowing unauthorized changes, and availability by potentially locking out legitimate users. Organizations relying on Vikunja for task and project management risk unauthorized access to sensitive project data, internal communications, and operational workflows. The persistent nature of the token reuse means that even a single token leak can lead to long-term compromise without further attacker effort. This can facilitate lateral movement within organizations, data exfiltration, sabotage, or further phishing campaigns. Given Vikunja’s use in various sectors including technology, education, and small to medium enterprises, the impact can be widespread. The lack of authentication or user interaction required for exploitation increases the threat level globally.

Organizations should immediately upgrade all Vikunja instances to version 2.1.0 or later, which contains the patch that invalidates password reset tokens after use and corrects the token cleanup cron job. Until upgrade is possible, administrators should consider disabling the password reset functionality or implementing additional monitoring and alerting on reset token generation and usage. Review and secure logs and browser histories to prevent token leakage. Employ network security controls to limit exposure of Vikunja API endpoints, such as IP whitelisting or VPN access. Conduct user awareness training to reduce phishing risks that could lead to token interception. Additionally, implement multi-factor authentication (MFA) on user accounts to mitigate the impact of compromised credentials. Regularly audit token management and cleanup processes to ensure no residual tokens remain valid indefinitely.