CVE-2026-34727 HIGH

CVE-2026-34727: Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path

Vendor Go-Vikunja
Product vikunja
Weakness CWE-287 · Improper authentication
Published April 10, 2026
Last update April 13, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 13, 2026 Record updated