CVE-2026-33315

UNKNOWN 0.0

Vikunja has a 2FA Bypass via Caldav Basic Auth

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.

CWE	CWE-288
Vendor	go-vikunja
Product	vikunja
Published	Mar 24, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for go-vikunja vikunja

Be the first to know when new unknown vulnerabilities affecting go-vikunja vikunja are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

go-vikunja / vikunja

< 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pq github.com: https://github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615 vikunja.io: https://vikunja.io/changelog/vikunja-v2.2.0-was-released