📄 Description (English)
Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data. Version 2.2.1 patches the issue.
🤖 AI Executive Summary
Vikunja versions 0.18.0 through 2.2.0 contain an authentication bypass vulnerability where disabled or locked user accounts can continue accessing the platform through API tokens, CalDAV, and OpenID Connect authentication paths. This critical gap in status enforcement allows unauthorized data access and synchronization despite account restrictions. The vulnerability affects self-hosted deployments commonly used in Saudi organizations for task and project management, with an active exploit available.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 11:47
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies, financial institutions, and enterprises using self-hosted Vikunja deployments for sensitive project and task management. Government entities under NCA oversight and SAMA-regulated financial institutions are particularly vulnerable if using Vikunja for internal collaboration. The bypass of account status checks enables former employees, contractors, or compromised accounts to maintain unauthorized access to confidential project data, financial information, and strategic planning documents. Healthcare organizations and energy sector entities managing critical infrastructure projects face elevated risk of data exfiltration and operational disruption.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Education
Enterprise/Corporate
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Vikunja instances in your environment and verify current version (check /api/v1/info endpoint)
2. Disable or restrict API token authentication if not critical to operations
3. Audit CalDAV and OpenID Connect integrations for active sessions
4. Review access logs for disabled/locked accounts accessing API endpoints since version 0.18.0 deployment
5. Force logout all active sessions and revoke API tokens for disabled accounts
PATCHING:
1. Upgrade immediately to Vikunja 2.2.1 or later
2. For self-hosted deployments: pull latest image (vikunja:latest) or rebuild from source
3. Restart all Vikunja services after upgrade
4. Verify patch by checking version in admin panel
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement network-level access controls restricting API token usage to specific IP ranges
2. Disable CalDAV and OpenID Connect authentication methods until patched
3. Enforce API token expiration policies (30-day maximum)
4. Monitor /api/v1/* endpoints for requests from disabled user accounts
5. Implement WAF rules blocking API requests with tokens from disabled accounts
DETECTION RULES:
1. Alert on API requests (POST/GET /api/v1/*) from accounts with disabled status
2. Monitor CalDAV PROPFIND/GET requests from locked accounts
3. Track OpenID Connect token validation failures followed by successful API access
4. Flag multiple failed login attempts followed by successful API token usage
5. Review audit logs for access patterns inconsistent with account status
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Vikunja في بيئتك والتحقق من الإصدار الحالي (تحقق من نقطة نهاية /api/v1/info)
2. عطل أو قيد مصادقة رمز API إذا لم تكن حرجة للعمليات
3. قم بمراجعة تدقيق تكاملات CalDAV و OpenID Connect للجلسات النشطة
4. راجع سجلات الوصول للحسابات المعطلة/المقفلة التي تصل إلى نقاط نهاية API منذ نشر الإصدار 0.18.0
5. فرض تسجيل الخروج لجميع الجلسات النشطة وإلغاء رموز API للحسابات المعطلة
التصحيح:
1. قم بالترقية فوراً إلى Vikunja 2.2.1 أو إصدار أحدث
2. للنشرات المستضافة ذاتياً: اسحب أحدث صورة (vikunja:latest) أو أعد البناء من المصدر
3. أعد تشغيل جميع خدمات Vikunja بعد الترقية
4. تحقق من التصحيح بالتحقق من الإصدار في لوحة المسؤول
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تنفيذ ضوابط الوصول على مستوى الشبكة تقيد استخدام رمز API على نطاقات IP محددة
2. عطل مصادقة CalDAV و OpenID Connect حتى يتم التصحيح
3. فرض سياسات انتهاء صلاحية رمز API (30 يوماً كحد أقصى)
4. مراقبة نقاط نهاية /api/v1/* للطلبات من حسابات معطلة
5. تنفيذ قواعد WAF لحظر طلبات API برموز من حسابات معطلة
قواعد الكشف:
1. تنبيه على طلبات API (POST/GET /api/v1/*) من حسابات بحالة معطلة
2. مراقبة طلبات CalDAV PROPFIND/GET من حسابات مقفلة
3. تتبع فشل التحقق من رمز OpenID Connect متبوعاً بوصول API ناجح
4. علم محاولات تسجيل دخول متعددة فاشلة متبوعة باستخدام رمز API ناجح
5. راجع سجلات التدقيق لأنماط الوصول غير المتسقة مع حالة الحساب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.9.2.1 - User access management and authentication controls
A.9.4.3 - Password management and account lockout procedures
A.14.2.1 - Change management procedures for security patches
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.AM-1 - Asset management and inventory
PR.AC-1 - Access control policy and procedures
PR.AC-2 - Physical and logical access controls
DE.CM-1 - Detection and monitoring of unauthorized access
🟡 ISO 27001:2022
A.5.15 - Access control
A.6.2 - User access management
A.8.3 - Cryptography and authentication
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Change management
🟣 PCI DSS v4.0.1
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches and updates
Requirement 7 - Restrict access to data by business need
Requirement 8.1 - User identification and authentication
🔗 References & Sources 6
🔗
https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35
security-advisories@github.com
Patch
🔗
https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b
security-advisories@github.com
Patch
🔗
https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e
security-advisories@github.com
Patch
🔗
https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7
security-advisories@github.com
Patch
🔗
https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://vikunja.io/changelog/vikunja-v2.2.2-was-released
security-advisories@github.com
Release Notes
📦 Affected Products / CPE 1 entries
vikunja:vikunja