CVE-2026-34727: CWE-287: Improper Authentication in go-vikunja vikunja
Vikunja versions prior to 2. 3. 0 have an authentication vulnerability in the OIDC callback handler where the system issues a full JWT token without verifying if the user has TOTP two-factor authentication enabled. This allows the second factor to be bypassed for local users with TOTP enrolled when matched via the OIDC email fallback mechanism. The vulnerability is identified as CWE-287 (Improper Authentication) and has a CVSS score of 7. 4 (high severity). The issue is fixed in version 2. 3. 0.
AI Analysis
Technical Summary
In Vikunja versions before 2.3.0, the OIDC callback handler improperly authenticates users by issuing a full JWT token without checking if the matched local user has TOTP two-factor authentication enabled. Specifically, when a local user with TOTP enrolled is matched through the OIDC email fallback mechanism, the second factor is skipped entirely, resulting in improper authentication (CWE-287). This vulnerability allows attackers to bypass two-factor authentication, potentially leading to unauthorized access. The vulnerability has a CVSS 3.1 score of 7.4, indicating high severity. The issue is resolved in Vikunja 2.3.0.
Potential Impact
The vulnerability allows an attacker to bypass two-factor authentication (TOTP) for local users when authenticated via the OIDC email fallback mechanism. This can lead to unauthorized access with full privileges of the targeted user. The impact includes confidentiality and integrity compromise but does not affect availability. The CVSS score of 7.4 reflects a high severity due to network attack vector and no user interaction required.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since no official patch links or vendor advisory details are provided, users should verify the upgrade from the official Vikunja project sources. Patch status is not explicitly confirmed beyond the fix in 2.3.0, so check vendor advisories for the latest remediation guidance.
CVE-2026-34727: CWE-287: Improper Authentication in go-vikunja vikunja
Description
Vikunja versions prior to 2. 3. 0 have an authentication vulnerability in the OIDC callback handler where the system issues a full JWT token without verifying if the user has TOTP two-factor authentication enabled. This allows the second factor to be bypassed for local users with TOTP enrolled when matched via the OIDC email fallback mechanism. The vulnerability is identified as CWE-287 (Improper Authentication) and has a CVSS score of 7. 4 (high severity). The issue is fixed in version 2. 3. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Vikunja versions before 2.3.0, the OIDC callback handler improperly authenticates users by issuing a full JWT token without checking if the matched local user has TOTP two-factor authentication enabled. Specifically, when a local user with TOTP enrolled is matched through the OIDC email fallback mechanism, the second factor is skipped entirely, resulting in improper authentication (CWE-287). This vulnerability allows attackers to bypass two-factor authentication, potentially leading to unauthorized access. The vulnerability has a CVSS 3.1 score of 7.4, indicating high severity. The issue is resolved in Vikunja 2.3.0.
Potential Impact
The vulnerability allows an attacker to bypass two-factor authentication (TOTP) for local users when authenticated via the OIDC email fallback mechanism. This can lead to unauthorized access with full privileges of the targeted user. The impact includes confidentiality and integrity compromise but does not affect availability. The CVSS score of 7.4 reflects a high severity due to network attack vector and no user interaction required.
Mitigation Recommendations
Upgrade Vikunja to version 2.3.0 or later, where this vulnerability is fixed. Since no official patch links or vendor advisory details are provided, users should verify the upgrade from the official Vikunja project sources. Patch status is not explicitly confirmed beyond the fix in 2.3.0, so check vendor advisories for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.753Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d91fde1cc7ad14dacba297
Added to database: 4/10/2026, 4:05:50 PM
Last enriched: 4/10/2026, 4:20:45 PM
Last updated: 4/10/2026, 5:34:08 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.