CVE-2026-34727 Overview
CVE-2026-34727 is an authentication bypass vulnerability in Vikunja, an open-source self-hosted task management platform. The vulnerability exists in the OIDC (OpenID Connect) callback handler, which issues a full JWT token without verifying whether the matched user has TOTP (Time-based One-Time Password) two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second authentication factor is completely bypassed, allowing unauthorized access to protected accounts.
Critical Impact
Attackers can bypass two-factor authentication protections by exploiting the OIDC email fallback mechanism, gaining full access to accounts that should require TOTP verification.
Affected Products
- Vikunja versions prior to 2.3.0
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-34727 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-34727
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication), representing a significant flaw in the authentication flow logic. The core issue lies in the OIDC callback handler's failure to enforce the complete authentication chain when users have enabled TOTP-based two-factor authentication.
When a user authenticates via an external OIDC provider and the system matches their account using the email fallback mechanism, the application incorrectly assumes that OIDC authentication alone is sufficient. This assumption breaks the security model for users who have explicitly configured TOTP as an additional authentication layer for their local accounts.
The authentication bypass requires network access and specific conditions to be met: the target user must have TOTP enabled on their local account, and the attacker must be able to authenticate through an OIDC provider that returns an email address matching the victim's account. While the attack complexity is considered high due to these prerequisites, successful exploitation grants unauthorized access without requiring any user interaction.
Root Cause
The root cause is a logic flaw in the authentication workflow where the OIDC callback handler fails to check the totp_enabled flag (or equivalent) for matched user accounts before issuing a JWT token. The code path that handles OIDC authentication does not invoke the same TOTP verification logic that would be triggered during standard local authentication, resulting in the second factor being completely skipped.
Attack Vector
The attack vector is network-based and involves the following exploitation path:
- The attacker identifies a target user account in Vikunja that has TOTP two-factor authentication enabled
- The attacker configures or compromises an OIDC identity provider to return the victim's email address during authentication
- When authenticating via the OIDC callback endpoint, the Vikunja server matches the attacker's session to the victim's local account using the email fallback mechanism
- The server issues a full JWT token without prompting for the TOTP code, granting the attacker complete access to the victim's account
The vulnerability manifests in the OIDC callback handling logic where JWT token issuance occurs before TOTP verification. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34727
Indicators of Compromise
- Successful authentication events via OIDC for accounts that have TOTP enabled but no corresponding TOTP verification in audit logs
- JWT tokens issued for TOTP-protected accounts without preceding TOTP challenge events
- Unusual login patterns where OIDC authentication bypasses expected MFA prompts
Detection Strategies
- Monitor authentication logs for discrepancies between OIDC logins and TOTP verification events for accounts with MFA enabled
- Implement alerting on successful authentications via OIDC callback endpoint for users with totp_enabled flags set
- Review access logs for anomalous session creation patterns that skip expected authentication steps
Monitoring Recommendations
- Enable verbose logging for authentication events including OIDC callback processing
- Create correlation rules that flag OIDC authentications for TOTP-enabled accounts that lack subsequent TOTP verification
- Audit user access patterns for accounts that have both OIDC and local authentication configured
How to Mitigate CVE-2026-34727
Immediate Actions Required
- Upgrade Vikunja to version 2.3.0 or later immediately
- Review authentication logs for any signs of TOTP bypass exploitation
- Consider temporarily disabling OIDC authentication until the upgrade is complete if high-value accounts with TOTP are at risk
Patch Information
This vulnerability is fixed in Vikunja version 2.3.0. The patch ensures that the OIDC callback handler properly checks whether matched user accounts have TOTP enabled and enforces the second authentication factor before issuing JWT tokens. Administrators should upgrade to version 2.3.0 or later as soon as possible. For additional details, see the GitHub Security Advisory.
Workarounds
- Disable OIDC authentication entirely until the patch can be applied if critical accounts are at risk
- Remove the email fallback mechanism for OIDC user matching if configuration allows
- Require all users to re-authenticate and verify TOTP enrollment status after applying the patch
# Configuration example - Disable OIDC authentication temporarily
# In your Vikunja configuration file (config.yml or environment variables)
# Option 1: Disable OIDC providers
auth:
openid:
enabled: false
# Option 2: After upgrade, verify version
vikunja version
# Expected output: 2.3.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
