DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27575: The Zombie Session: Breaking Vikunja's Auth with CVE-2026-27575

#security #cve #cybersecurity

The Zombie Session: Breaking Vikunja's Auth with CVE-2026-27575

Vulnerability ID: CVE-2026-27575
CVSS Score: 9.1
Published: 2026-02-25

CVE-2026-27575 represents a catastrophic failure in the authentication lifecycle of Vikunja, a popular self-hosted task management platform. The vulnerability is a two-headed beast: first, it allowed users (and attackers) to set passwords with a single character, bypassing security policies during updates. Second, and far more critical, it failed to invalidate active sessions upon password changes. This means an attacker who steals a session token retains permanent access to the victim's data, even after the victim explicitly resets their credentials to 'lock them out.' It is a classic case of stateless JWTs being deployed without a revocation strategy.

TL;DR

Vikunja versions prior to 2.0.0 allow persistent account takeover. Due to a lack of input validation, passwords could be reset to a single character. Worse, changing a password did not invalidate existing JSON Web Tokens (JWTs). An attacker with a stolen token remains logged in indefinitely, regardless of the victim's remediation attempts. Fix: Upgrade to v2.0.0 immediately.

⚠️ Exploit Status: POC

Technical Details

  • CWE IDs: CWE-521 (Weak Password), CWE-613 (Insufficient Session Expiration)
  • CVSS Score: 9.1 (Critical)
  • Attack Vector: Network (API)
  • Privileges Required: None (for initial access via weak policy logic)
  • Exploit Status: PoC Available / Trivial
  • Patch Date: 2026-02-25

Affected Systems

  • Vikunja < 2.0.0
  • Vikunja: < 2.0.0 (Fixed in: 2.0.0)

Code Analysis

Commit: 89c17d3

Enforce password limits on update and reset

type UserPassword struct {
- NewPassword string `json:"new_password"`
+ NewPassword string `json:"new_password" valid:"minLength:8"`
}
Enter fullscreen mode Exit fullscreen mode

Commit: 2526853

Refactor session management to stateful tokens

// Logic added to invalidate sessions on password change
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Enforce minimum password complexity on all inputs, not just registration.
  • Implement stateful session management or token denylists.
  • Invalidate all active sessions upon password rotation.

Remediation Steps:

  1. Backup the Vikunja database.
  2. Pull the Vikunja v2.0.0 Docker image or download the binary.
  3. Restart the service to trigger database migrations.
  4. Verify that changing a password now terminates other active sessions.

References

Read the full report for CVE-2026-27575 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)