Vikunja Account Reactivation Vulnerability (CVE-2026-33316)
A critical vulnerability in Vikunja versions prior to 2.2.0 allows disabled users to bypass administrator controls and reactivate their accounts by exploiting a flaw in the password reset logic.
Vikunja, an open-source self-hosted task management platform, is vulnerable to unauthorized account reactivation. Prior to version 2.2.0, the platform’s password reset mechanism fails to validate the account status before enabling password reset, allowing disabled users to regain access. Specifically, the ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying if the account was deliberately disabled by an administrator. This…
Detection coverage 3
Detect Password Reset Request from Disabled User
highDetects requests to the password reset token endpoint from potentially disabled user accounts by correlating web server logs with a list of disabled users. Requires a method to correlate IP addresses or user identifiers from the Vikunja application with web server logs. The rule triggers when a request to `/api/v1/user/password/token` or `/api/v1/user/password/reset` is seen and the source IP address or user identifier matches a disabled user.
Detect Password Reset Request
mediumDetects requests to the password reset token endpoint `/api/v1/user/password/token`.
Detect Password Reset Completion
mediumDetects requests to the password reset completion endpoint `/api/v1/user/password/reset`.
Detection queries are kept inside the platform. Get full rules →