Vikunja is an open-source, self-hosted task management platform used for organizing and managing tasks collaboratively. In versions prior to 2.2.0, a critical vulnerability (CVE-2026-33316) exists in the password reset logic. Specifically, the ResetPassword() function, which handles password resets, sets the user’s status to StatusActive after a successful password reset without checking if the account was previously disabled by an administrator. This logic flaw allows disabled users—who should be barred from accessing the system—to regain access by initiating a password reset via the API endpoints /api/v1/user/password/token and /api/v1/user/password/reset. Because the system automatically reactivates the account upon password reset, the intended administrative control to disable accounts is bypassed. The vulnerability is classified under CWE-284 (Improper Access Control), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization). The CVSS v3.1 base score is 8.1, reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impact. No known exploits are reported in the wild yet. The issue was addressed in Vikunja version 2.2.0 by adding proper checks to prevent reactivation of disabled accounts during password resets.

This vulnerability can have significant impacts on organizations using Vikunja for task and project management. Disabled user accounts are typically disabled due to security concerns, policy violations, or user offboarding. The ability for disabled users to regain access undermines administrative controls, potentially allowing unauthorized access to sensitive project data, confidential tasks, and internal communications. This can lead to data breaches, insider threats, and disruption of workflows. Since the vulnerability affects confidentiality and integrity but not availability, attackers or malicious insiders can stealthily regain access without causing service outages. The ease of exploitation via network requests and lack of user interaction makes it a serious risk, especially in environments where user accounts are disabled as a security measure. Organizations relying on Vikunja for critical task management must consider the risk of unauthorized access and potential data exposure.

The primary mitigation is to upgrade Vikunja to version 2.2.0 or later, where the vulnerability is patched. Organizations should prioritize this update in their patch management processes. Additionally, administrators should audit disabled accounts to verify no unauthorized reactivations have occurred. Implement monitoring and alerting on password reset requests, especially for disabled accounts, to detect suspicious activity. If upgrading immediately is not possible, consider temporarily disabling password reset functionality or restricting it to trusted administrators. Review and strengthen access control policies around account disablement and password resets. Employ multi-factor authentication (MFA) to reduce risk from compromised credentials. Finally, conduct user training and awareness to recognize potential social engineering attempts that could leverage this vulnerability.