Vulnerability in Go-vikunja Vikunja

CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then a…

EPSS: 0.001 (29.4th percentile) — read the EPSS interpretation.

Affected products

Go-vikunja Vikunja — versions < 2.2.0

Weakness classification (CWE)

CWE-288 — Authentication Bypass Using an Alternate Path or Channel

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq (x_refsource_CONFIRM)
https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615 (x_refsource_MISC)
https://vikunja.io/changelog/vikunja-v2.2.0-was-released (x_refsource_MISC)