CVE-2026-33473 identifies an improper authentication vulnerability (CWE-287) in the go-vikunja Vikunja platform, an open-source, self-hosted task management system. The vulnerability exists in versions from 0.13 up to but not including 2.2.1. It specifically affects the implementation of two-factor authentication (2FA) using Time-based One-Time Passwords (TOTP). Normally, TOTP codes are valid for a 30-second window and intended for one-time use to enhance security. However, this vulnerability allows a user with 2FA enabled to reuse the same TOTP multiple times within that 30-second window, effectively bypassing the intended one-time use constraint. This flaw arises from improper validation logic that does not prevent reuse of the same TOTP within its validity period. The CVSS 3.1 base score is 5.7 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requiring privileges and user interaction. The impact is primarily on confidentiality, as unauthorized access to user accounts or data could occur without affecting data integrity or system availability. The vulnerability was publicly disclosed on March 24, 2026, and fixed in Vikunja version 2.2.1. No known exploits have been reported in the wild to date. The flaw is significant because it undermines the security guarantees of 2FA, a critical defense mechanism for user authentication in modern applications.

This vulnerability can allow attackers with some level of access (e.g., a user account) to reuse a valid TOTP within its 30-second window to authenticate multiple times, potentially escalating privileges or accessing sensitive information without proper authorization. The confidentiality of user data and task management information could be compromised. Although the vulnerability does not affect data integrity or availability, unauthorized access could lead to data leakage or privacy violations. Organizations relying on Vikunja for task and project management, especially those handling sensitive or proprietary information, face increased risk of account compromise. The ease of exploitation (low complexity, network accessible) combined with the widespread use of 2FA means attackers could automate attempts to reuse TOTPs, increasing the threat surface. This could undermine trust in the platform’s security and lead to compliance issues if sensitive data is exposed.

The primary mitigation is to upgrade all Vikunja installations to version 2.2.1 or later, where the vulnerability is patched. For organizations unable to immediately upgrade, consider temporarily disabling 2FA or enforcing additional authentication checks to prevent TOTP reuse, such as implementing server-side tracking of used TOTPs within their validity window. Monitoring authentication logs for repeated TOTP usage and anomalous login patterns can help detect exploitation attempts. Educate users on the importance of timely software updates and secure 2FA practices. Additionally, consider integrating external 2FA providers with more robust replay protection mechanisms. Regularly audit and review authentication mechanisms to ensure compliance with best practices. Finally, maintain an incident response plan to quickly address any suspected account compromises.