CVE-2026-27575: The Zombie Session: Breaking Vikunja's Auth with CVE-2026-27575
Published: (February 26, 2026 at 12:40 AM EST)
2 min read
Source: Dev.to
Source: Dev.to
Vulnerability ID: CVE-2026-27575
CVSS Score: 9.1 (Critical)
Published: 2026-02-25
CVE-2026-27575 is a critical flaw in the authentication lifecycle of Vikunja, a self‑hosted task management platform. The vulnerability has two components:
- Password updates could be set to a single character, bypassing password‑policy checks.
- Changing a password did not invalidate existing JSON Web Tokens (JWTs), allowing an attacker with a stolen token to retain indefinite access even after the victim resets their credentials.
TL;DR
Vikunja versions prior to 2.0.0 allow persistent account takeover:
- Weak password validation permits single‑character passwords.
- Password changes do not revoke active JWTs, so stolen tokens remain valid indefinitely.
Fix: Upgrade to v2.0.0 immediately.
Technical Details
- CWE IDs: CWE‑521 (Weak Password), CWE‑613 (Insufficient Session Expiration)
- Attack Vector: Network (API)
- Privileges Required: None (initial access via weak policy logic)
- Exploit Status: PoC available / trivial
- Patch Date: 2026‑02‑25
Affected Systems
- Vikunja versions < 2.0.0 (fixed in
2.0.0)
Code Analysis
Password Validation Fix
Commit: 89c17d3
type UserPassword struct {
// NewPassword now requires a minimum length of 8 characters
NewPassword string `json:"new_password" valid:"minLength:8"`
}Session Revocation on Password Change
Commit: 2526853
// Logic added to invalidate sessions on password change
// (implementation details omitted for brevity)Mitigation Strategies
- Enforce minimum password complexity on all inputs (registration, update, reset).
- Adopt stateful session management or maintain a token deny‑list to enable revocation.
- Invalidate all active sessions whenever a password is rotated.
Remediation Steps
- Back up the Vikunja database.
- Pull the Vikunja
v2.0.0Docker image or download the binary. - Restart the service to trigger database migrations.
- Verify that changing a password now terminates other active sessions.