This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Vikunja < v2.1.0 has an **Authorization Issue**. Password reset tokens can be **reused indefinitely**. π **Consequences**: Leads to **Account Takeover (ATO)**.β¦
π‘οΈ **Root Cause**: **CWE-459** (Incomplete Cleanup). The system fails to invalidate or expire password reset tokens after use. π **Flaw**: Lack of one-time-use enforcement or strict expiration logic for recovery tokens.
Q3Who is affected? (Versions/Components)
π₯ **Affected**: **Vikunja** (Open-source To-Do App). π¦ **Versions**: All versions **prior to 2.1.0**. π’ **Vendor**: go-vikunja. If you are running an older self-hosted instance, you are at risk.
Q4What can hackers do? (Privileges/Data)
π **Attacker Actions**: Full **Account Takeover**. π **Data Access**: Read/Write all tasks, projects, and personal data. π **Privileges**: Gain full administrative control over the victim's Vikunja account.β¦
π **Self-Check**: 1. Check your Vikunja version. 2. If < v2.1.0, you are vulnerable. 3. Monitor logs for repeated password reset requests for the same user. 4.β¦
β **Fixed**: **Yes**. π **Patch Date**: Released in **Vikunja v2.1.0** (Feb 27, 2026). π **Action**: Upgrade immediately to v2.1.0 or later. See GitHub commit for details.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: 1. **Disable** password reset functionality if possible. 2. **Monitor** token usage closely. 3. **Shorten** token expiration times in config (if configurable). 4.β¦