Vikunja Task Management Software Allows Weak Passwords and Post-Password Attack Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.1

Vikunja Task Management Software Allows Weak Passwords and Post-Password Attack Access

CVE-2026-27575 GHSA-3ccg-x393-96v8 GHSA-3ccg-x393-96v8

Summary

Vikunja's task management software had weak password requirements, allowing users to choose easily guessable passwords. If an attacker compromised a user's account, they could keep accessing the account even after the user changed their password. This has been fixed in version 2.0.0.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
code.vikunja.io	api	<= 0.24.6	–
vikunja	vikunja	<= 2.0.0	–
api	code.vikunja.io/api	<= 0.24.6	–

Original title

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Original description

Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix.

nvd CVSS3.1 9.1

Vulnerability type

CWE-521

CWE-613

Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026