Vikunja has a 2FA Bypass via Caldav Basic Auth
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA (if enabled), such as project name, description, etc. Version 2.2.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja prior to 2.2.0 allows 2FA bypass via Caldav Basic Auth, exposing project data.
The vulnerability in Vikunja version 2.1.0 and earlier lies in the Caldav endpoint, which accepts Basic Authentication without enforcing Time-based One-Time Password (TOTP) verification for accounts with two-factor authentication (2FA) enabled. The authentication flow for Caldav simply retrieves credentials, verifies the username and password, and grants access—skipping any 2FA checks entirely [1][3].
An attacker who possesses valid credentials for a 2FA-enabled account can exploit this by sending a crafted HTTP request using Basic Authentication headers to the Caldav endpoint. No 2FA token is required. This allows the attacker to authenticate successfully and access standard project information that would otherwise be protected behind 2FA [3].
The impact is limited to reading project metadata such as name and description; the advisory does not indicate that write access or other sensitive data is exposed. However, it undermines the security provided by 2FA [1][3].
The issue has been addressed in Vikunja version 2.2.0. Users are strongly advised to upgrade to this version, which includes a complete patch that ensures 2FA is enforced for Caldav endpoints as well [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 2.1.0 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.0
Patches
1cdf5d30a425dfix: reject CalDAV basic auth when TOTP is enabled
1 file changed · +12 −0
pkg/routes/caldav/auth.go+12 −0 modified@@ -47,6 +47,18 @@ func BasicAuth(c *echo.Context, username, password string) (bool, error) { log.Errorf("Error during basic auth for caldav: %v", err) return false, nil } + + // If the user has TOTP enabled, reject password-based basic auth. + // They must use a CalDAV token instead. + totpEnabled, err := user.TOTPEnabledForUser(s, u) + if err != nil { + log.Errorf("Error checking TOTP status for caldav basic auth: %v", err) + return false, nil + } + if totpEnabled { + log.Warningf("CalDAV basic auth rejected for user %d: TOTP is enabled, a CalDAV token is required", u.ID) + return false, nil + } } if u != nil && err == nil { c.Set("userBasicAuth", u)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-47cr-f226-r4pqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33315ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/cdf5d30a425d032f749b78b98b828f25ad882615ghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-47cr-f226-r4pqghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.