CVE-2026-29794 MEDIUM

CVE-2026-29794: Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vendor Go-Vikunja
Product vikunja
Weakness CWE-807
Published March 20, 2026
Last update March 20, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
March 20, 2026 Record updated