A critical flaw in Vikunja’s password reset logic allows attackers to reuse intercepted tokens for permanent account takeover, bypassing all standard authentication controls.

This is a business logic vulnerability within the vikunja/api component. Due to a failure to invalidate tokens upon use and a malfunctioning cleanup cron job, an unauthenticated attacker who gains access to a single reset token can use it repeatedly to change user passwords.

The ability to reuse tokens allows for persistent, long-term unauthorized access to user accounts and sensitive task data. Given the CVSS score of 9.8, this flaw presents a severe risk of data loss and reputational damage, as an attacker can maintain access even after a user attempts to secure their account.

Immediate Action: Upgrade Vikunja to version 2.1.0 or later to ensure that password reset tokens are properly invalidated after a single use.

Proactive Monitoring: Review API logs for multiple password reset requests for the same user and check for anomalous token usage patterns in the database.

Compensating Controls: Implement multi-factor authentication (MFA) to provide an additional layer of security that remains effective even if a password is reset by an attacker.

Public Exploit Available: No

This logic bug effectively breaks the security of the authentication lifecycle. Organizations using Vikunja must apply the version 2.1.0 patch immediately to prevent unauthorized account access and potential data exfiltration.