Vikunja OIDC Callback TOTP Bypass Vulnerability

A vulnerability in Vikunja's OIDC callback handler prior to version 2.3.0 allows users with TOTP two-factor authentication enabled to bypass the second-factor requirement. The issue arises because the callback handler issues a full JWT token without verifying if the user has TOTP enabled. When a local user with TOTP enrolled is matched through the OIDC email fallback, the TOTP verification is completely ignored, granting access without the necessary authentication challenge.

Impact

This vulnerability allows users to bypass TOTP two-factor authentication when logging in via OIDC, undermining the security of accounts that have TOTP enabled. An attacker who can authenticate with the OIDC provider using a matching email address can gain full access to the user's account without completing the TOTP verification.

Reproduction

To reproduce this vulnerability, log in to Vikunja v2.2.2 using the OIDC email fallback feature with a local user account that has TOTP enabled. The OIDC callback will issue a JWT token without requiring TOTP verification, bypassing the two-factor authentication entirely.

Remediation

Users should update to Vikunja version 2.3.0 or later, where this vulnerability has been fixed.