Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 2.0.0 allowed weak passwords and kept sessions valid after password changes, enabling persistent unauthorized access.
Overview
Vikunja, an open-source self-hosted task management platform, had two combined flaws prior to version 2.0.0. The application did not enforce minimum password strength during registration or password changes, allowing users to set weak passwords (e.g., "1234" or "password"). Additionally, when a user changed their password, all previously active sessions remained valid without being invalidated [1][2][3].
Exploitation
An attacker who compromises an account through brute-force or credential stuffing (leveraging weak passwords) can log in and obtain an active session token. Even after the legitimate user changes their password, the attacker can continue using the old session token indefinitely, maintaining access without needing the new password [3]. This attack chain is described in the security advisory with step-by-step reproduction [3].
Impact
Successful exploitation results in persistent account takeover, unauthorized access to sensitive data, and is especially dangerous for administrative accounts. The combination of weak password controls and improper session invalidation increases both the ease of exploitation and the overall impact [3].
Mitigation
Version 2.0.0 contains the fix, which introduces password validation (minimum length 8, bcrypt strength) on reset and update flows, and rebuilds the session authentication infrastructure to invalidate sessions after password changes [1][4]. Users are strongly advised to update immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 0.24.6 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.0.0
Patches
189c17d3b23e2feat(api): enforce password validation on reset and update flows
4 files changed · +13 −3
pkg/routes/api/v1/user_password_reset.go+5 −0 modified@@ -44,6 +44,11 @@ func UserResetPassword(c *echo.Context) error { return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err) } + // Validate the password + if err := c.Validate(pwReset); err != nil { + return err + } + s := db.NewSession() defer s.Close()
pkg/routes/api/v1/user_update_password.go+6 −1 modified@@ -29,7 +29,7 @@ import ( // UserPassword holds a user password. Used to update it. type UserPassword struct { OldPassword string `json:"old_password"` - NewPassword string `json:"new_password"` + NewPassword string `json:"new_password" valid:"bcrypt_password" minLength:"8" maxLength:"72"` } // UserChangePassword is the handler to change a users password @@ -58,6 +58,11 @@ func UserChangePassword(c *echo.Context) error { return echo.NewHTTPError(http.StatusBadRequest, "No password provided.").Wrap(err) } + // Validate the new password + if err := c.Validate(newPW); err != nil { + return err + } + if newPW.OldPassword == "" { return user.ErrEmptyOldPassword{} }
pkg/user/user_password_reset.go+1 −1 modified@@ -27,7 +27,7 @@ type PasswordReset struct { // The previously issued reset token. Token string `json:"token"` // The new password for this user. - NewPassword string `json:"new_password"` + NewPassword string `json:"new_password" valid:"bcrypt_password" minLength:"8" maxLength:"72"` } // ResetPassword resets a users password. It returns the ID of the user whose
pkg/user/validator.go+1 −1 modified@@ -54,7 +54,7 @@ func init() { return false } - return len([]byte(str)) < 72 + return len([]byte(str)) <= 72 } govalidator.TagMap["language"] = i18n.HasLanguage
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3ccg-x393-96v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27575ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/89c17d3b23e2a23320ad135b4e8f0a14fdd91bdaghsaWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-3ccg-x393-96v8ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.0.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.