CVE-2026-29794: Rate Limit Bypass via IP Spoofing in Vikunja
Vulnerability ID: CVE-2026-29794
CVSS Score: 5.3
Published: 2026-03-20
Vikunja versions prior to 2.2.0 contain a rate-limit bypass vulnerability due to improper validation of client IP addresses. Unauthenticated remote attackers can bypass IP-based rate limiting by spoofing HTTP headers such as X-Forwarded-For, enabling unlimited brute-force attacks against authentication endpoints.
TL;DR
A misconfiguration in Vikunja's Labstack Echo framework implementation allows attackers to bypass rate limits by injecting spoofed IP headers, facilitating high-speed credential stuffing and brute-force attacks.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-807
- Attack Vector: Network
- CVSS v3.1: 5.3
- Impact: Rate Limit Bypass, Credential Stuffing
- Exploit Status: Proof of Concept
- KEV Status: Not Listed
Affected Systems
- go-vikunja/vikunja
-
vikunja: >= 0.8, < 2.2.0 (Fixed in:
2.2.0)
Code Analysis
Commit: a498dd6
Fix rate limit bypass by implementing strict IP extraction methods and trusted proxy configurations.
Mitigation Strategies
- Upgrade Vikunja to version 2.2.0 or later.
- Configure
service.trustedproxieswith appropriate internal CIDR blocks. - Implement strict header sanitization at the edge reverse proxy or WAF.
Remediation Steps:
- Download and install Vikunja v2.2.0.
- Review network architecture to identify legitimate reverse proxies.
- Update the Vikunja configuration file to set
service.ipextractionmethodtoxfforrealipbased on proxy behavior. - Define trusted proxy CIDR ranges in the
service.trustedproxiesconfiguration block. - Restart the Vikunja service to apply the configuration changes.
References
- GitHub Security Advisory GHSA-m547-hp4w-j6jx
- Vikunja v2.2.0 Release Notes
- Echo Framework IP Address Extraction Documentation
Read the full report for CVE-2026-29794 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)