Vikunja is an open-source, self-hosted task management platform used by organizations to manage tasks and projects. In versions prior to 2.2.0, a critical vulnerability (CVE-2026-33316) exists in the password reset logic, categorized under CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization). The vulnerability arises because the ResetPassword() function automatically sets the user’s status to StatusActive after a successful password reset without checking if the account was previously disabled by an administrator. Disabled accounts are intended to be locked out to prevent access, often due to security or policy reasons. However, an attacker or a disabled user can request a password reset token via the endpoint /api/v1/user/password/token and then reset the password through /api/v1/user/password/reset, which inadvertently reactivates the account. This flaw allows bypassing administrative disablement controls, effectively undermining user account management and access control policies. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability does not affect availability. The issue was reserved on 2026-03-18 and published on 2026-03-24. No public exploits have been reported yet, but the vulnerability poses a significant risk if exploited. The fix was introduced in Vikunja version 2.2.0, which adds proper verification to prevent reactivation of disabled accounts during password resets.

This vulnerability can have serious consequences for organizations using Vikunja for task management. Disabled user accounts are typically disabled due to security concerns, policy violations, or employee offboarding. The ability to reactivate these accounts via password reset allows unauthorized access, which can lead to data breaches, unauthorized task and project modifications, and potential insider threats. Confidentiality is at high risk as attackers can regain access to sensitive project information. Integrity is also compromised since unauthorized users can modify tasks or project data. Although availability is not directly impacted, the trustworthiness of the system is undermined. Organizations relying on Vikunja for critical workflows may face operational disruptions and compliance violations if this vulnerability is exploited. The requirement for some privileges to exploit the flaw means insider threats or compromised accounts are the most likely vectors. However, the network attack vector and low complexity make exploitation feasible in many environments.

Organizations should immediately upgrade Vikunja installations to version 2.2.0 or later, where this vulnerability is patched. Until upgrading is possible, administrators should implement additional controls such as disabling password reset functionality for disabled accounts at the application or proxy level. Monitoring password reset requests and account status changes can help detect exploitation attempts. Implementing multi-factor authentication (MFA) can reduce the risk of unauthorized password resets. Administrators should audit user account statuses regularly and ensure that disabled accounts cannot perform any actions. Additionally, restricting access to the password reset endpoints to trusted networks or authenticated users can reduce exposure. Security teams should review logs for unusual password reset activity and consider temporary account disablement policies that require manual reactivation rather than automatic status changes. Finally, informing users and administrators about this vulnerability and its risks is critical to maintaining vigilance.