CVE-2026-33668 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-33668 PUBLISHED CVSS 7.099999904632568 HIGH

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

EPSS 0.13% · 31.8th percentile

Risk Scores

CVSS v4.0

7.099999904632568

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS Score

0.13%

31.8th percentile

Affected Products

Vendor	Product	Versions
vikunja	vikunja	0.18.0, 0.18.0, 0.18.0
go-vikunja	vikunja	>= 0.18.0, < 2.2.1, >= 0.18.0, < 2.2.1, >= 0.18.0, < 2.2.1
code.vikunja.io	api	0.18.0, 0.18.0, 0.18.0

Timeline

Mar 24, 2026 PoC Published
Mar 24, 2026 CVE Published
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 26, 2026 Security Advisory
Mar 26, 2026 CVE Updated

References

Open in Interactive Console →