Vulnerability-Lookup

CVE-2026-28268 (GCVE-0-2026-28268)

Vulnerability from cvelistv5 – Published: 2026-02-27 20:16 – Updated: 2026-03-03 20:26

Title

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

Summary

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-459 - Incomplete Cleanup
CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

Assigner

GitHub_M

References

URL

Tags

	https://github.com/go-vikunja/vikunja/security/ad…	x_refsource_CONFIRM
	https://github.com/go-vikunja/vikunja/commit/5c21…	x_refsource_MISC
	https://vikunja.io/changelog/vikunja-v2.1.0-was-r…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	go-vikunja	vikunja	Affected: < 2.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28268",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T20:26:41.313436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T20:26:53.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vikunja",
          "vendor": "go-vikunja",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459: Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-27T20:16:29.842Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
        },
        {
          "name": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
        },
        {
          "name": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
        }
      ],
      "source": {
        "advisory": "GHSA-rfjg-6m84-crj2",
        "discovery": "UNKNOWN"
      },
      "title": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28268",
    "datePublished": "2026-02-27T20:16:29.842Z",
    "dateReserved": "2026-02-26T01:52:58.732Z",
    "dateUpdated": "2026-03-03T20:26:53.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28268\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-27T21:16:18.233\",\"lastModified\":\"2026-03-06T21:03:09.780\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. En las versiones anteriores a la 2.1.0, existe una vulnerabilidad de l\u00f3gica de negocio en el mecanismo de restablecimiento de contrase\u00f1a de vikunja/API que permite que los tokens de restablecimiento de contrase\u00f1a sean reutilizados indefinidamente. Debido a un fallo en la invalidaci\u00f3n de tokens tras su uso y a un error de l\u00f3gica cr\u00edtico en el trabajo cron de limpieza de tokens, los tokens de restablecimiento permanecen v\u00e1lidos para siempre. Esto permite a un atacante que intercepta un \u00fanico token de restablecimiento (a trav\u00e9s de registros, historial del navegador o phishing) realizar una toma de control de cuenta completa y persistente en cualquier momento en el futuro, eludiendo los controles de autenticaci\u00f3n est\u00e1ndar. La versi\u00f3n 2.1.0 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-459\"},{\"lang\":\"en\",\"value\":\"CWE-640\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.0\",\"matchCriteriaId\":\"5F4164A9-6656-425E-81AF-BC892E137C82\"}]}]}],\"references\":[{\"url\":\"https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://vikunja.io/changelog/vikunja-v2.1.0-was-released\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28268\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T20:26:41.313436Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T20:26:48.321Z\"}}], \"cna\": {\"title\": \"Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse\", \"source\": {\"advisory\": \"GHSA-rfjg-6m84-crj2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"go-vikunja\", \"product\": \"vikunja\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2\", \"name\": \"https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2\", \"name\": \"https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://vikunja.io/changelog/vikunja-v2.1.0-was-released\", \"name\": \"https://vikunja.io/changelog/vikunja-v2.1.0-was-released\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-459\", \"description\": \"CWE-459: Incomplete Cleanup\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-640\", \"description\": \"CWE-640: Weak Password Recovery Mechanism for Forgotten Password\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-27T20:16:29.842Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28268\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-03T20:26:53.644Z\", \"dateReserved\": \"2026-02-26T01:52:58.732Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-27T20:16:29.842Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-28268

Vulnerability from fkie_nvd - Published: 2026-02-27 21:16 - Updated: 2026-03-06 21:03

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2	Patch
security-advisories@github.com	https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2	Vendor Advisory
security-advisories@github.com	https://vikunja.io/changelog/vikunja-v2.1.0-was-released	Release Notes

Impacted products

	Vendor	Product	Version
	vikunja	vikunja	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F4164A9-6656-425E-81AF-BC892E137C82",
              "versionEndExcluding": "2.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "Vikunja es una plataforma de gesti\u00f3n de tareas de c\u00f3digo abierto autoalojada. En las versiones anteriores a la 2.1.0, existe una vulnerabilidad de l\u00f3gica de negocio en el mecanismo de restablecimiento de contrase\u00f1a de vikunja/API que permite que los tokens de restablecimiento de contrase\u00f1a sean reutilizados indefinidamente. Debido a un fallo en la invalidaci\u00f3n de tokens tras su uso y a un error de l\u00f3gica cr\u00edtico en el trabajo cron de limpieza de tokens, los tokens de restablecimiento permanecen v\u00e1lidos para siempre. Esto permite a un atacante que intercepta un \u00fanico token de restablecimiento (a trav\u00e9s de registros, historial del navegador o phishing) realizar una toma de control de cuenta completa y persistente en cualquier momento en el futuro, eludiendo los controles de autenticaci\u00f3n est\u00e1ndar. La versi\u00f3n 2.1.0 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-28268",
  "lastModified": "2026-03-06T21:03:09.780",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-27T21:16:18.233",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-459"
        },
        {
          "lang": "en",
          "value": "CWE-640"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-640"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-RFJG-6M84-CRJ2

Vulnerability from github – Published: 2026-02-28 01:59 – Updated: 2026-02-28 01:59

Summary

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

Details

Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.

This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.

Technical Analysis The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.

Logic Error in Password Reset (No Invalidation) In pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user's password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.

Vulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)

func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {
    // ... [Validation and User Lookup] ...

    // Hash the password
    user.Password, err = HashPassword(reset.NewPassword)
    if err != nil {
        return
    }

    // FLAW: Deletes 'TokenEmailConfirm' instead of the current 'TokenPasswordReset'
    err = removeTokens(s, user, TokenEmailConfirm)
    if err != nil {
        return
    }

    // ... [Update User Status and Return] ...
    // The reset token is never removed and remains valid in the DB.
}

Logic Error in Token Cleanup (Inverted Expiry) The background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.

Vulnerable Code: pkg/user/token.go (Lines 125-151)

func RegisterTokenCleanupCron() {
    // ...
    err := cron.Schedule("0 * * * *", func() {
        // ...
        // FLAW: "created > ?" selects tokens created AFTER 24 hours ago.
        // This deletes NEW valid tokens and keeps OLD expired tokens forever.
        deleted, err := s.
            Where("created > ? AND (kind = ? OR kind = ?)", 
            time.Now().Add(time.Hour*24*-1), 
            TokenPasswordReset, TokenAccountDeletion).
            Delete(&Token{})
        // ...
    })
}

Impact Persistent Account Takeover: An attacker with a single valid token can reset the victim's password an unlimited number of times.

Bypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.

Infinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of "forever," allowing exploitation months or years after the token was issued.

Remediation 1. Invalidate Token on Use Update ResetPassword to delete the specific reset token upon successful completion. // Recommended Fix err = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind 2. Fix Cleanup Logic Update the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time. // Recommended Fix Where("created < ? ...", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (<)

A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T01:59:28Z",
    "nvd_published_at": "2026-02-27T21:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "**Summary**\nA critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.\n\nThis allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.\n\n**Technical Analysis**\nThe vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.\n\n1. Logic Error in Password Reset (No Invalidation)\nIn pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user\u0027s password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.\n\nVulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)\n```\nfunc ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {\n    // ... [Validation and User Lookup] ...\n\n    // Hash the password\n    user.Password, err = HashPassword(reset.NewPassword)\n    if err != nil {\n        return\n    }\n\n    // FLAW: Deletes \u0027TokenEmailConfirm\u0027 instead of the current \u0027TokenPasswordReset\u0027\n    err = removeTokens(s, user, TokenEmailConfirm)\n    if err != nil {\n        return\n    }\n\n    // ... [Update User Status and Return] ...\n    // The reset token is never removed and remains valid in the DB.\n}\n```\n2. Logic Error in Token Cleanup (Inverted Expiry)\nThe background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.\n\nVulnerable Code: pkg/user/token.go (Lines 125-151)\n```\nfunc RegisterTokenCleanupCron() {\n    // ...\n    err := cron.Schedule(\"0 * * * *\", func() {\n        // ...\n        // FLAW: \"created \u003e ?\" selects tokens created AFTER 24 hours ago.\n        // This deletes NEW valid tokens and keeps OLD expired tokens forever.\n        deleted, err := s.\n            Where(\"created \u003e ? AND (kind = ? OR kind = ?)\", \n            time.Now().Add(time.Hour*24*-1), \n            TokenPasswordReset, TokenAccountDeletion).\n            Delete(\u0026Token{})\n        // ...\n    })\n}\n\n```\n\n**Impact**\nPersistent Account Takeover: An attacker with a single valid token can reset the victim\u0027s password an unlimited number of times.\n\nBypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.\n\nInfinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of \"forever,\" allowing exploitation months or years after the token was issued.\n\n**Remediation**\n1. Invalidate Token on Use\nUpdate ResetPassword to delete the specific reset token upon successful completion.\n`// Recommended Fix\nerr = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind`\n2. Fix Cleanup Logic\nUpdate the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time.\n`// Recommended Fix\nWhere(\"created \u003c ? ...\", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (\u003c)`\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0",
  "id": "GHSA-rfjg-6m84-crj2",
  "modified": "2026-02-28T01:59:28Z",
  "published": "2026-02-28T01:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-28268 (GCVE-0-2026-28268)

FKIE_CVE-2026-28268

GHSA-RFJG-6M84-CRJ2

Tags

Sightings

Nomenclature