Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement
Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, a flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement. Version 2.2.0 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja password reset unconditionally reactivates disabled accounts, allowing attackers to bypass administrative disablements.
Vulnerability
Overview
A flaw in Vikunja's password reset logic allows disabled users to regain access to their accounts. In the ResetPassword() function ( ) function, the code always sets the user's status to StatusActive after a successful password reset, without verifying whether the account was previously disabled by an administrator disabled. Additionally, the RequestUserPasswordResetTokenByEmail function fetches the user via GetUserWithEmail ()` which does not filter out disabled users, allowing them to request a reset token in the first place [1] [3].
Exploitation
Method
An attacker can exploit this vulnerability by first obtaining the email address of a disabled user. Without authenticating, the attacker (or the disabled user themselves) can send a POST request to /api/v1/user/password/token to request a password reset token. Upon receiving the token via email, they can send a POST request to /api/v1/user/password/reset to complete the password reset. This process reactivates the previously disabled account, bypassing the administrator-imposed disablement [3].
Impact
By successfully exploiting this vulnerability allows a disabled user to effectively reactivate their account without administrator intervention, compromising the intended access control of the Vikunja instance. If a user was disabled due to suspicious activity or policy violations, they could regain access and potentially continue any malicious actions or gain the account could be taken over by an attacker who knows the disabled user's email. The vulnerability affects Vikunja prior to version 2.2.0 [1] [2].
Mitigation
Vikunja version 2.2.0 fixes this issue by checking the user's disabled status in both the token request and password reset handlers. Administrators are strongly urged are to update to the latest version as soon as possible, and all users should ensure their Vikunja instance is running at least version 2.2.0 [1] [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | <= 2.1.0 | — |
Affected products
2- go-vikunja/vikunjav5Range: < 2.2.0
Patches
2049f4a6be46ffix: prevent email confirmation from re-enabling admin-disabled accounts
1 file changed · +4 −0
pkg/user/user_email_confirm.go+4 −0 modified@@ -47,6 +47,10 @@ func ConfirmEmail(s *xorm.Session, c *EmailConfirm) (err error) { return } + if user.Status == StatusDisabled { + return &ErrAccountDisabled{UserID: user.ID} + } + user.Status = StatusActive err = removeTokens(s, user, TokenEmailConfirm) if err != nil {
d8570c603da1fix: prevent password reset from re-enabling admin-disabled accounts
1 file changed · +7 −1
pkg/user/user_password_reset.go+7 −1 modified@@ -70,7 +70,13 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err err return } - user.Status = StatusActive + if user.Status == StatusDisabled { + return 0, &ErrAccountDisabled{UserID: user.ID} + } + + if user.Status == StatusAccountLocked || user.Status == StatusEmailConfirmationRequired { + user.Status = StatusActive + } _, err = s. Cols("password", "status"). Where("id = ?", user.ID).
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vq4q-79hh-q767ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33316ghsaADVISORY
- github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70dghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfbghsax_refsource_MISCWEB
- github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767ghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.0-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.