CVE-2026-33315 Overview
CVE-2026-33315 is an authentication bypass vulnerability in Vikunja, an open-source self-hosted task management platform. The vulnerability exists in versions prior to 2.2.0 where the CalDAV endpoint allows login using Basic Authentication, enabling attackers to bypass Time-based One-Time Password (TOTP) verification on accounts with two-factor authentication (2FA) enabled. This flaw allows unauthorized access to project information that should be protected behind 2FA, including project names, descriptions, and other sensitive task management data.
Critical Impact
Attackers can bypass 2FA protections on Vikunja accounts by exploiting the CalDAV endpoint's Basic Authentication mechanism, gaining unauthorized access to protected project data.
Affected Products
- Vikunja versions prior to 2.2.0
- Self-hosted Vikunja instances with CalDAV integration enabled
- Vikunja deployments relying on 2FA/TOTP for account security
Discovery Timeline
- 2026-03-24 - CVE-2026-33315 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33315
Vulnerability Analysis
This vulnerability represents an Authentication Bypass flaw classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The core issue lies in how Vikunja's CalDAV endpoint handles authentication requests. While the main application interface properly enforces 2FA/TOTP verification when configured, the CalDAV API endpoint accepts Basic Authentication credentials without requiring the secondary TOTP factor.
This creates a parallel authentication path that bypasses the security controls implemented in the primary authentication flow. An attacker with knowledge of valid user credentials can leverage this alternate authentication channel to access protected resources without completing the full multi-factor authentication process.
The vulnerability allows access to standard project information including project names, descriptions, and potentially task data that users intended to protect with 2FA enforcement.
Root Cause
The root cause of CVE-2026-33315 stems from inconsistent authentication enforcement across different API endpoints. The CalDAV integration, which provides calendar and task synchronization capabilities with external applications, was implemented with Basic Authentication support to maintain compatibility with standard CalDAV clients. However, the authentication logic for this endpoint failed to verify whether the authenticating user's account had 2FA enabled and whether the TOTP challenge had been satisfied.
This architectural oversight created a security bypass where the CalDAV endpoint operated independently of the 2FA enforcement logic applied to other parts of the application.
Attack Vector
The attack is network-based and requires no user interaction. An attacker who has obtained valid user credentials through phishing, credential stuffing, or other means can directly authenticate to the CalDAV endpoint using HTTP Basic Authentication. The attack sequence involves:
- The attacker identifies a Vikunja instance with CalDAV enabled
- Using compromised credentials, the attacker crafts a request to the CalDAV endpoint with Basic Authentication headers
- The CalDAV endpoint validates the username and password but fails to check for 2FA requirements
- The attacker gains access to the user's project data, bypassing the TOTP protection the user had enabled
The CalDAV endpoint typically accessible at paths like /dav/ accepts standard HTTP Basic Authentication headers, making exploitation straightforward for attackers with valid credentials.
Detection Methods for CVE-2026-33315
Indicators of Compromise
- Unusual CalDAV endpoint access from unexpected IP addresses or geographic locations
- Authentication logs showing successful CalDAV logins for 2FA-enabled accounts without corresponding TOTP verification events
- Increased CalDAV API requests from accounts that don't typically use calendar synchronization
- Access patterns showing data retrieval via CalDAV for users who normally access the web interface
Detection Strategies
- Monitor authentication logs for CalDAV endpoint access and correlate with 2FA verification logs
- Implement alerting for successful CalDAV authentications from 2FA-enabled accounts
- Review access logs for the /dav/ endpoint path for anomalous patterns
- Deploy web application firewalls with rules to detect and alert on Basic Authentication bypass attempts
Monitoring Recommendations
- Enable detailed logging for all CalDAV endpoint authentication attempts
- Configure security information and event management (SIEM) rules to detect 2FA bypass scenarios
- Implement user and entity behavior analytics (UEBA) to identify unusual CalDAV access patterns
- Regularly audit accounts with 2FA enabled for any unexpected CalDAV-based access
How to Mitigate CVE-2026-33315
Immediate Actions Required
- Upgrade Vikunja to version 2.2.0 or later immediately
- Review audit logs for any suspicious CalDAV endpoint access on 2FA-enabled accounts
- Consider temporarily disabling CalDAV access until the patch is applied
- Notify users with 2FA-enabled accounts to review their access history for unauthorized activity
Patch Information
The vulnerability has been patched in Vikunja version 2.2.0. The fix ensures that 2FA verification is properly enforced across all authentication channels, including the CalDAV endpoint. The patch commit (cdf5d30a425d032f749b78b98b828f25ad882615) modifies the authentication flow to require TOTP verification before granting access via CalDAV Basic Authentication for accounts with 2FA enabled.
For detailed patch information, refer to the GitHub Security Advisory GHSA-47cr-f226-r4pq and the Vikunja v2.2.0 Release Changelog.
Workarounds
- Disable CalDAV functionality entirely if not required until the patch can be applied
- Implement network-level restrictions to limit CalDAV endpoint access to trusted IP ranges
- Use a reverse proxy to block or restrict access to the /dav/ endpoint paths
- Require VPN access for CalDAV synchronization to add an additional authentication layer
# Example nginx configuration to restrict CalDAV access
# Add to your Vikunja server block as a temporary mitigation
location /dav/ {
# Restrict CalDAV access to trusted internal networks only
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
# Alternatively, disable CalDAV entirely until patched
# return 403 "CalDAV temporarily disabled for security";
proxy_pass http://vikunja-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
