Vikunja Disabled and Locked User Authentication Bypass Vulnerability

A vulnerability in Vikunja, a self-hosted task management platform, allows disabled or locked user accounts to bypass authentication restrictions and access the API through API tokens, CalDAV basic authentication, and OpenID Connect. This issue is present in Vikunja versions 0.18.0 prior to 2.2.1. The vulnerability arises because the status checks for user accounts are only enforced during local login and JWT token refresh processes, leaving other authentication methods unprotected. As a result, disabled or locked users can continue to sync data and use the API, undermining the account management features intended to restrict access.

Impact

Exploitation of this vulnerability allows disabled or locked users to retain API access through existing API tokens, continue syncing data via CalDAV, and obtain new JWT tokens through OpenID Connect, effectively bypassing account restrictions.

Reproduction

To reproduce this vulnerability, first create a user account and generate an API token. Then, disable the user account through the admin API or CLI. After the account is disabled, use the API token to make a request to the Vikunja API. The request will succeed, demonstrating that the disabled account still has API access.

Remediation

Users can update to Vikunja version 2.2.1 or later, where this vulnerability has been patched. Instructions for updating are available in the Vikunja documentation.