CVE-2026-29794 is a vulnerability classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision) affecting Vikunja, an open-source self-hosted task management platform. The flaw exists in versions from 0.8 up to but not including 2.2.0, where the application’s rate-limiting logic depends on the RealIP value obtained from HTTP headers such as X-Forwarded-For or X-Real-IP. These headers can be easily spoofed by unauthenticated attackers, allowing them to circumvent the rate-limiting controls designed to restrict the number of requests from a single IP address. This bypass enables attackers to send unlimited requests to unauthenticated endpoints, which can be abused for brute-force attacks targeting user authentication mechanisms. Although the vulnerability does not directly compromise confidentiality or integrity, it undermines availability by allowing excessive resource consumption and potential service degradation. The vulnerability was publicly disclosed on March 20, 2026, with a CVSS 3.1 base score of 5.3 (medium severity), reflecting its network attack vector, low complexity, no privileges or user interaction required, and limited impact on availability. The issue is resolved in Vikunja version 2.2.0, which removes the reliance on untrusted HTTP headers for rate-limiting decisions.

The primary impact of this vulnerability is the ability for unauthenticated attackers to bypass rate limits, enabling unlimited requests to unauthenticated endpoints. This can facilitate brute-force attacks against user accounts, increasing the risk of credential compromise and unauthorized access. Additionally, the unchecked request volume can degrade service availability, potentially leading to denial-of-service conditions. Organizations relying on Vikunja for task management may experience service disruptions or account compromises if attackers exploit this flaw. While the vulnerability does not directly expose sensitive data or allow code execution, the indirect effects on authentication and service stability can have significant operational and security consequences. The risk is heightened in environments where Vikunja is exposed to the internet without additional protective controls such as web application firewalls or IP filtering.

1. Upgrade Vikunja to version 2.2.0 or later, where the vulnerability is patched and rate-limiting no longer relies on untrusted HTTP headers. 2. If immediate upgrade is not feasible, implement network-level controls such as web application firewalls (WAFs) or reverse proxies that validate or strip suspicious X-Forwarded-For and X-Real-IP headers to prevent spoofing. 3. Employ additional authentication protections like account lockout policies, multi-factor authentication (MFA), and CAPTCHA challenges on login endpoints to mitigate brute-force attempts. 4. Monitor application logs and network traffic for unusual request patterns indicative of rate-limit bypass or brute-force activity. 5. Restrict access to Vikunja instances to trusted networks or VPNs where possible to reduce exposure to unauthenticated attackers. 6. Conduct regular security assessments and penetration testing to verify the effectiveness of mitigations and detect any residual weaknesses.