Vikunja is an open-source, self-hosted task management platform that supports two-factor authentication (2FA) to enhance account security. However, in versions prior to 2.2.0, the Caldav endpoint accepts Basic Authentication credentials, which can be used to bypass the 2FA mechanism. This is a classic example of CWE-288: Authentication Bypass Using an Alternate Path or Channel. The vulnerability arises because the Caldav endpoint does not enforce 2FA, allowing an attacker who knows or guesses valid user credentials to authenticate using Basic Authentication and gain access to project information that should be protected by 2FA. The information accessible includes sensitive project metadata such as project names and descriptions, which could be leveraged for further attacks or information gathering. Exploitation requires no privileges, no user interaction, and can be performed remotely over the network, increasing the attack surface. The issue was addressed in vikunja version 2.2.0 by removing or securing the Basic Authentication method on the Caldav endpoint, ensuring 2FA enforcement. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk to confidentiality.

The primary impact of this vulnerability is unauthorized disclosure of sensitive project information that should be protected by two-factor authentication. Attackers can bypass 2FA and access project metadata, potentially exposing business-sensitive details such as project names and descriptions. This can lead to information leakage, aiding social engineering, reconnaissance, or further targeted attacks. Since the vulnerability allows bypassing 2FA, it undermines the security posture of organizations relying on vikunja for task management, especially those handling sensitive or confidential projects. Although the vulnerability does not directly allow modification or deletion of data, the exposure of project details can have reputational and operational consequences. The ease of exploitation without authentication or user interaction increases the risk, particularly for organizations exposing the Caldav endpoint to untrusted networks. The medium CVSS score reflects moderate impact, but the actual risk depends on the sensitivity of the data managed within vikunja.

Organizations using vikunja versions prior to 2.2.0 should upgrade immediately to version 2.2.0 or later, which patches the authentication bypass vulnerability. If immediate upgrade is not feasible, administrators should consider disabling the Caldav endpoint or restricting its network access to trusted internal networks only. Implement network-level controls such as firewalls or VPNs to limit exposure of the Caldav service. Additionally, review and enforce strong password policies to reduce the risk of credential compromise, as the vulnerability relies on valid credentials. Monitoring access logs for unusual authentication attempts on the Caldav endpoint can help detect exploitation attempts. Finally, consider implementing additional compensating controls such as IP whitelisting or multi-factor authentication enforcement at the network gateway level until the patch is applied.