{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34727/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Vikunja"],"_cs_severities":["high"],"_cs_tags":["vikunja","totp","oidc","bypass","cve-2026-34727"],"_cs_type":"advisory","_cs_vendors":["Vikunja"],"content_html":"\u003cp\u003eVikunja, a self-hostable to-do list application, is vulnerable to a two-factor authentication bypass (CVE-2026-34727) affecting versions 2.2.2 and earlier. The vulnerability arises in the OIDC (OpenID Connect) login flow when the \u003ccode\u003eEmailFallback\u003c/code\u003e option is enabled. If a local user has TOTP (Time-Based One-Time Password) enabled and their email address matches a user authenticating through the OIDC provider, the TOTP check is skipped. This allows an attacker who can authenticate to the OIDC provider with a matching email address to bypass the TOTP requirement and gain unauthorized access to the Vikunja account. This issue stems from the OIDC callback handler (\u003ccode\u003epkg/modules/auth/openid/openid.go\u003c/code\u003e) issuing a JWT without verifying TOTP status.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Vikunja instance with OIDC enabled and \u003ccode\u003eEmailFallback\u003c/code\u003e set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid local user with TOTP enabled and determines the user's email address.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or compromises an account on the configured OIDC provider that uses the same email address as the target Vikunja user.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the OIDC login flow to the Vikunja instance.\u003c/li\u003e\n\u003cli\u003eThe OIDC provider authenticates the attacker using their compromised or created account.\u003c/li\u003e\n\u003cli\u003eVikunja's OIDC callback handler (\u003ccode\u003epkg/modules/auth/openid/openid.go\u003c/code\u003e) matches the email address from the OIDC provider to the local user.\u003c/li\u003e\n\u003cli\u003eThe callback handler incorrectly issues a JWT without performing TOTP verification, bypassing the second factor.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the received JWT to authenticate to the Vikunja API and gains full access to the user's account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to bypass TOTP two-factor authentication and gain unauthorized access to Vikunja accounts. This can lead to data breaches, modification of tasks and projects, and potential further compromise of the Vikunja instance. Any user who has enrolled TOTP on their local account can have that protection completely bypassed if their email address is also present in the OIDC provider. This undermines the security of TOTP enrollment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix by adding a TOTP check in the OIDC callback before issuing the JWT, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003eEmailFallback\u003c/code\u003e option in the Vikunja OIDC configuration until the patch is applied.\u003c/li\u003e\n\u003cli\u003eMonitor Vikunja logs for unusual OIDC login activity, specifically successful OIDC logins for users who also have local accounts with TOTP enabled.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Vikunja Successful OIDC Login Bypassing TOTP\u003c/code\u003e to identify successful logins that bypass TOTP.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Vikunja OIDC Callback Request\u003c/code\u003e to identify potential OIDC login attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-vikunja-totp-bypass/","summary":"Vikunja version 2.2.2 and earlier has a two-factor authentication bypass vulnerability via the OIDC login path, where TOTP enrollment is ignored when a local user with TOTP enabled is matched via OIDC email fallback, allowing attackers with a matching email address in the OIDC provider to gain access without the second factor.","title":"Vikunja TOTP Two-Factor Authentication Bypass via OIDC Login","url":"https://feed.craftedsignal.io/briefs/2024-01-vikunja-totp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-34727","version":"https://jsonfeed.org/version/1.1"}