Security Advisory

CVE-2026-33668

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-24 15:30:27

Last updated 2026-03-26 19:52:13

Assigner GitHub_M

State PUBLISHED

Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.

← Browse all CVEs View on cve.org ↗