DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28268: Vikunja Password Reset Mechanism Logic Errors Allowing Persistent Account Takeover

#security #cve #cybersecurity

Vikunja Password Reset Mechanism Logic Errors Allowing Persistent Account Takeover

Vulnerability ID: CVE-2026-28268
CVSS Score: 9.8
Published: 2026-02-28

A critical authentication bypass vulnerability exists in Vikunja, an open-source task management platform, affecting versions prior to 2.1.0. The vulnerability stems from two concurrent logic errors in the password reset workflow: a failure to invalidate reset tokens upon successful use and a malformed background cleanup process that failed to purge expired tokens. These flaws allow an attacker who obtains a password reset token—via interception, logs, or history—to reuse it indefinitely to reset the target user's password, facilitating persistent account takeover. The issue is addressed in version 2.1.0 by correcting the token deletion logic and fixing the expiration query.

TL;DR

Vikunja versions < 2.1.0 fail to delete password reset tokens after use and fail to clean up expired tokens due to a logic bug in the cron job. This allows valid tokens to be reused indefinitely for account takeover. Fixed in v2.1.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-459
  • Attack Vector: Network
  • CVSS Score: 9.8
  • Remediation Level: Official Fix
  • Exploit Status: Poc Available
  • Report Confidence: Confirmed

Affected Systems

  • Vikunja (Self-Hosted)
  • Vikunja: < 2.1.0 (Fixed in: 2.1.0)

Code Analysis

Commit: 5c2195f

Fix: correctly remove password reset tokens after use

- err = removeTokens(s, user, TokenEmailConfirm)
+ err = removeTokens(s, user, TokenPasswordReset)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to Vikunja v2.1.0 immediately.
  • Manually purge the 'user_tokens' database table of all existing password reset tokens.
  • Review application logs for repeated requests to the password reset endpoint from suspicious IP addresses.

Remediation Steps:

  1. Stop the Vikunja service.
  2. Pull the latest container image or download the v2.1.0 binary.
  3. Apply the update and restart the service.
  4. Connect to the database and execute a cleanup query to remove stale tokens.
  5. Verify the fix by performing a test password reset flow.

References

Read the full report for CVE-2026-28268 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)