CVE-2026-28268
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
EPSS 0.04% · 13.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| vikunja | vikunja | 0, 0 |
| code.vikunja.io | api | 0, 0 |
| go-vikunja | vikunja | < 2.1.0, < 2.1.0 |
Timeline
- Feb 27, 2026 CVE Published
- Feb 27, 2026 PoC Published
- Feb 28, 2026 EPSS Score
- Feb 28, 2026 PoC Published
- Feb 28, 2026 PoC Published
- Feb 28, 2026 PoC Published
- Feb 28, 2026 PoC Published
- Mar 1, 2026 EPSS Score
- Mar 1, 2026 PoC Published
- Mar 3, 2026 EPSS Score
- Mar 3, 2026 Security Advisory
- Mar 3, 2026 CVE Updated
References
- https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2 url
- https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2 url
- https://vikunja.io/changelog/vikunja-v2.1.0-was-released url
- https://nvd.nist.gov/vuln/detail/CVE-2026-28268 advisory
- https://github.com/go-vikunja/vikunja package