Vikunja has TOTP Reuse During Validity Window
Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vikunja versions 0.13 through 2.2.0 allow reuse of a TOTP code within its 30-second validity window, weakening two-factor authentication.
Vulnerability
Overview
CVE-2026-33473 is a security flaw in Vikunja, an open-source self-hosted task management platform. The vulnerability affects all versions from 0.13 up to (but not including) 2.2.1. The root cause is that the TOTP validation function (ValidateTOTPPasscode in pkg/user/totp.go) does not track whether a specific one-time password has already been used within its 30-second validity window [1][4]. This means that once a user successfully authenticates with a valid TOTP, the same code can be reused by another session for the same user within that window [4].
Exploitation
Conditions
To exploit this vulnerability, an attacker must first obtain a valid TOTP code generated by the victim's authenticator app. This could occur through phishing, social engineering, or intercepting the code over an insecure channel. The attacker also needs the victim's username and password. Once the attacker has these credentials and a captured TOTP, they can reuse that TOTP to authenticate as the victim in a separate session, bypassing the intended one-time-use property of the TOTP [4]. The attack does not require any special network position beyond being able to submit authentication requests to the Vikunja server.
Impact
Successful exploitation allows an attacker to gain authenticated access to the victim's Vikunja account, bypassing the second factor of authentication. This undermines the defense-in-depth model that two-factor authentication is intended to provide [4]. The impact is limited to accounts that have 2FA enabled, and the attacker must already possess the user's password and a valid TOTP code. However, the ability to reuse the TOTP significantly increases the window of opportunity for an attacker who has intercepted a code.
Mitigation
The vulnerability is patched in Vikunja version 2.2.1 [1][3]. The fix involves maintaining a deny-listing used TOTP codes for the duration of their validity window, preventing reuse [4]. Users are strongly advised to update to version 2.2.1 or later. No workarounds are mentioned in the available references.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.vikunja.io/apiGo | >= 0.13 | — |
Affected products
2- go-vikunja/vikunjav5Range: >= 0.13, < 2.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-p747-qc5p-773rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33473ghsaADVISORY
- github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773rghsax_refsource_CONFIRMWEB
- vikunja.io/changelog/vikunja-v2.2.0-was-releasedghsax_refsource_MISCWEB
- vikunja.io/changelog/vikunja-v2.2.2-was-releasedghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.