CVE-2026-28268:

Critical vulnerability in Vikunja's password reset mechanism allows indefinite token reuse, enabling persistent account takeover.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Feb 27, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:12%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Critical vulnerability in Vikunja's password reset mechanism allows indefinite token reuse, enabling persistent account takeover.

Overview

The vulnerability in Vikunja's password reset mechanism poses a severe security risk. With a CVSS v3.1 base score of 9.8 (Critical), it allows attackers to bypass authentication and take over accounts persistently. The flaw stems from two key issues: failure to invalidate used tokens and a faulty token cleanup process. This combination results in reset tokens remaining valid indefinitely, creating a long-term security exposure. The vulnerability is particularly dangerous as it requires no special privileges or user interaction, and can be exploited over the network with low attack complexity.

Remediation

To address this vulnerability, users should immediately upgrade to Vikunja version 2.1.0 or later. This version contains a patch that resolves the issue with the password reset mechanism. Organizations using Vikunja should prioritize this update to prevent potential account takeovers. Additionally, it is advisable to review logs and access patterns for any suspicious activities related to password resets. Implementing additional security measures such as multi-factor authentication can provide an extra layer of protection against account compromise.