CVE-2026-33473 Overview
CVE-2026-33473 is an authentication bypass vulnerability affecting Vikunja, an open-source self-hosted task management platform. The flaw allows attackers to reuse Time-based One-Time Password (TOTP) codes within their standard 30-second validity window, effectively undermining the security guarantees of two-factor authentication (2FA). This vulnerability is classified under CWE-287 (Improper Authentication).
Critical Impact
Any user with 2FA enabled can have their TOTP codes intercepted and reused within the 30-second validity window, allowing unauthorized access to protected accounts.
Affected Products
- Vikunja versions 0.13 through 2.2.0
- Self-hosted Vikunja instances with 2FA enabled
- Users who have configured TOTP-based two-factor authentication
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33473 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33473
Vulnerability Analysis
The vulnerability exists in Vikunja's TOTP validation mechanism. TOTP (Time-based One-Time Password) authentication relies on cryptographically generated codes that are valid only for a short time window, typically 30 seconds. The security model assumes each code can only be used once—even within its validity period—to prevent replay attacks.
In vulnerable versions of Vikunja (0.13 through 2.2.0), the application fails to track whether a TOTP code has already been used during its validity window. This implementation flaw allows an attacker who has captured a valid TOTP code (through shoulder surfing, network interception, or other means) to reuse that same code multiple times until it expires.
This undermines a fundamental security property of 2FA: even if an attacker obtains both the user's password and a valid TOTP code, they should not be able to use a code that has already been consumed. The vulnerability requires network access and authenticated interaction, as the attacker must first obtain the victim's credentials and intercept their TOTP code.
Root Cause
The root cause is improper authentication handling in the TOTP verification logic. The application does not maintain a record of previously used TOTP codes within their validity window. Proper implementation requires server-side tracking of consumed codes to prevent replay attacks, which was missing in affected versions.
Attack Vector
An attacker can exploit this vulnerability through the following scenario:
- The attacker obtains the victim's username and password through phishing, credential stuffing, or other means
- The attacker observes or intercepts a valid TOTP code entered by the victim (e.g., through shoulder surfing, malware, or network interception)
- Within the 30-second validity window, the attacker submits the same TOTP code to authenticate as the victim
- The server accepts the reused code, granting the attacker access to the victim's account
The attack exploits the network-accessible authentication endpoint and requires low-privilege access (valid credentials) along with user interaction (obtaining the TOTP code). For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33473
Indicators of Compromise
- Multiple successful 2FA authentications using the same TOTP code within a 30-second window
- Login events from different IP addresses or geolocations using identical TOTP codes
- Unusual authentication patterns showing rapid successive logins for the same user account
- Authentication logs indicating TOTP code reuse attempts
Detection Strategies
- Monitor authentication logs for duplicate TOTP code submissions that result in successful logins
- Implement alerting on multiple successful authentications for the same user from different source IPs within short time windows
- Review Vikunja application logs for patterns indicating potential TOTP replay attacks
- Deploy network monitoring to detect credential interception attempts
Monitoring Recommendations
- Enable verbose authentication logging in Vikunja to capture TOTP validation events
- Implement session correlation to track authentication attempts across the platform
- Set up alerts for anomalous login behavior such as rapid account switches or geographic impossibilities
- Consider implementing additional authentication monitoring at the reverse proxy or load balancer level
How to Mitigate CVE-2026-33473
Immediate Actions Required
- Upgrade Vikunja to version 2.2.1 or later immediately
- Review authentication logs for any signs of TOTP reuse exploitation
- Consider temporarily disabling 2FA for critical accounts until the patch is applied, while implementing compensating controls
- Notify users who have 2FA enabled about the vulnerability and the importance of upgrading
Patch Information
Vikunja version 2.2.1 addresses this vulnerability by implementing proper TOTP code tracking to prevent reuse within the validity window. Administrators should upgrade to 2.2.1 or later to receive the fix. Detailed release information is available in the Vikunja Changelog for version 2.2.0 and version 2.2.2.
Workarounds
- Implement rate limiting on authentication endpoints to reduce the window of opportunity for TOTP reuse
- Deploy additional network-level authentication monitoring and anomaly detection
- Consider implementing IP-based session binding as a compensating control
- Use hardware security keys (FIDO2/WebAuthn) as an alternative 2FA method if supported
# Example: Upgrade Vikunja using Docker
docker pull vikunja/vikunja:2.2.1
docker stop vikunja
docker rm vikunja
docker run -d --name vikunja -p 3456:3456 vikunja/vikunja:2.2.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
