Vikunja has TOTP Reuse During Validity Window_CVE-2026-33473

5.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.

Basic Information

ID CVE-2026-33473

Source GitHub_M

Published Mar 24, 2026 at 15:18

Modified Mar 24, 2026 at 17:11

Affected Product

Vendor go-vikunja

Product vikunja

Version >= 0.13, < 2.2.1

Affected Versions go-vikunja vikunja >= 0.13, < 2.2.1

CWE Classification

CWE-287

References

{
    "lastseen": "",
    "description": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.",
    "published": "2026-03-24T15:18:14.481Z",
    "modified": "2026-03-24T17:11:26.042Z",
    "type": "cve",
    "title": "Vikunja has TOTP Reuse During Validity Window",
    "source": "GitHub_M",
    "references": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r\nhttps://vikunja.io/changelog/vikunja-v2.2.0-was-released\nhttps://vikunja.io/changelog/vikunja-v2.2.2-was-released",
    "id": "CVE-2026-33473",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "go-vikunja vikunja >= 0.13, < 2.2.1",
    "sourceHref": "",
    "cvss": {
        "score": 5.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vikunja",
    "version": ">= 0.13, < 2.2.1",
    "vendor": "go-vikunja",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}