CVE-2026-28268: Vikunja RCE — Critical — Patch Now

Overview

A critical security vulnerability exists in the Vikunja open-source task management platform. This flaw allows attackers to take over user accounts permanently by reusing a single password reset token.

Vulnerability Details

In Vikunja versions before 2.1.0, the password reset mechanism contains a severe logic flaw. Normally, a password reset link sent to your email can only be used once. However, due to a programming error, these tokens were never properly invalidated after use. Furthermore, a scheduled cleanup task designed to remove old tokens was broken.

This combination means that any password reset token ever generated remains valid forever. An attacker who obtains just one token-through methods like intercepting unencrypted email, accessing server logs, or even seeing it briefly in a browser’s history-can use it to reset that user’s password at any future time, even years later.

Impact

The impact of this vulnerability is severe (CVSS Score: 9.8 - CRITICAL). Successful exploitation leads to:

• Complete Account Takeover: An attacker can change the victim’s password and gain full, persistent control of their Vikunja account.
• Data Breach: All tasks, notes, and project data within the compromised account are exposed.
• Persistence: Unlike typical reset flaws, this attack is not time-sensitive. A stolen token provides a permanent backdoor.
• Bypassed Authentication: The attacker completely bypasses normal login controls like passwords or multi-factor authentication.

Remediation and Mitigation

Immediate action is required to protect your Vikunja instance.

Primary Fix: Upgrade The only complete solution is to upgrade Vikunja to version 2.1.0 or later. This version contains the necessary patches to properly invalidate tokens after use and fix the cleanup task.

Immediate Mitigations (If Upgrade is Delayed):

1. Audit Logs: Review application and server logs for any suspicious access or unexpected password reset activity.
2. User Notification: Inform all users of the critical risk. Advise them to monitor their accounts for unauthorized activity and to use strong, unique passwords.
3. Monitor for Tokens: If possible, scan outgoing email logs or proxy logs for exposed password reset links (URLs containing /reset/).
4. Isolate the Instance: Consider restricting network access to the Vikunja instance to only trusted users until the upgrade can be performed.

After upgrading to 2.1.0, all previously issued password reset tokens will be properly handled by the new logic. It is also good practice to encourage users to review their active sessions from the account settings page post-upgrade.