GHSA-RFJG-6M84-CRJ2

Vulnerability from github – Published: 2026-02-28 01:59 – Updated: 2026-02-28 01:59
VLAI?
Summary
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Details

Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.

This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.

Technical Analysis The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.

  1. Logic Error in Password Reset (No Invalidation) In pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user's password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.

Vulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)

func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {
    // ... [Validation and User Lookup] ...

    // Hash the password
    user.Password, err = HashPassword(reset.NewPassword)
    if err != nil {
        return
    }

    // FLAW: Deletes 'TokenEmailConfirm' instead of the current 'TokenPasswordReset'
    err = removeTokens(s, user, TokenEmailConfirm)
    if err != nil {
        return
    }

    // ... [Update User Status and Return] ...
    // The reset token is never removed and remains valid in the DB.
}
  1. Logic Error in Token Cleanup (Inverted Expiry) The background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.

Vulnerable Code: pkg/user/token.go (Lines 125-151)

func RegisterTokenCleanupCron() {
    // ...
    err := cron.Schedule("0 * * * *", func() {
        // ...
        // FLAW: "created > ?" selects tokens created AFTER 24 hours ago.
        // This deletes NEW valid tokens and keeps OLD expired tokens forever.
        deleted, err := s.
            Where("created > ? AND (kind = ? OR kind = ?)", 
            time.Now().Add(time.Hour*24*-1), 
            TokenPasswordReset, TokenAccountDeletion).
            Delete(&Token{})
        // ...
    })
}

Impact Persistent Account Takeover: An attacker with a single valid token can reset the victim's password an unlimited number of times.

Bypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.

Infinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of "forever," allowing exploitation months or years after the token was issued.

Remediation 1. Invalidate Token on Use Update ResetPassword to delete the specific reset token upon successful completion. // Recommended Fix err = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind 2. Fix Cleanup Logic Update the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time. // Recommended Fix Where("created < ? ...", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (<)

A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T01:59:28Z",
    "nvd_published_at": "2026-02-27T21:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "**Summary**\nA critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.\n\nThis allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.\n\n**Technical Analysis**\nThe vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.\n\n1. Logic Error in Password Reset (No Invalidation)\nIn pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user\u0027s password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.\n\nVulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)\n```\nfunc ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {\n    // ... [Validation and User Lookup] ...\n\n    // Hash the password\n    user.Password, err = HashPassword(reset.NewPassword)\n    if err != nil {\n        return\n    }\n\n    // FLAW: Deletes \u0027TokenEmailConfirm\u0027 instead of the current \u0027TokenPasswordReset\u0027\n    err = removeTokens(s, user, TokenEmailConfirm)\n    if err != nil {\n        return\n    }\n\n    // ... [Update User Status and Return] ...\n    // The reset token is never removed and remains valid in the DB.\n}\n```\n2. Logic Error in Token Cleanup (Inverted Expiry)\nThe background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.\n\nVulnerable Code: pkg/user/token.go (Lines 125-151)\n```\nfunc RegisterTokenCleanupCron() {\n    // ...\n    err := cron.Schedule(\"0 * * * *\", func() {\n        // ...\n        // FLAW: \"created \u003e ?\" selects tokens created AFTER 24 hours ago.\n        // This deletes NEW valid tokens and keeps OLD expired tokens forever.\n        deleted, err := s.\n            Where(\"created \u003e ? AND (kind = ? OR kind = ?)\", \n            time.Now().Add(time.Hour*24*-1), \n            TokenPasswordReset, TokenAccountDeletion).\n            Delete(\u0026Token{})\n        // ...\n    })\n}\n\n```\n\n**Impact**\nPersistent Account Takeover: An attacker with a single valid token can reset the victim\u0027s password an unlimited number of times.\n\nBypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.\n\nInfinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of \"forever,\" allowing exploitation months or years after the token was issued.\n\n**Remediation**\n1. Invalidate Token on Use\nUpdate ResetPassword to delete the specific reset token upon successful completion.\n`// Recommended Fix\nerr = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind`\n2. Fix Cleanup Logic\nUpdate the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time.\n`// Recommended Fix\nWhere(\"created \u003c ? ...\", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (\u003c)`\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0",
  "id": "GHSA-rfjg-6m84-crj2",
  "modified": "2026-02-28T01:59:28Z",
  "published": "2026-02-28T01:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.