CVE-2026-33316

Summary

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement in code.vikunja.io/api

Severity

medium

EPSS

0.4% (p28)

Also known as

GHSA-vq4q-79hh-q767, GO-2026-4798

Published

2026-03-23

References

• https://github.com/go-vikunja/vikunja/security/advisories/GHSA-vq4q-79hh-q767
• https://github.com/go-vikunja/vikunja/commit/049f4a6be46f9460bd516f489ef9f569574bc70d
• https://github.com/go-vikunja/vikunja/commit/d8570c603da1f26635ce6048d6af85ede827abfb

Related advisories

• CVE-2026-34727 — high · Go/code.vikunja.io/api
• CVE-2026-35595 — medium · Go/code.vikunja.io/api
• CVE-2026-35601 — medium · Go/code.vikunja.io/api
• CVE-2026-40103 — medium · Go/code.vikunja.io/api
• CVE-2026-35602 — medium · Go/code.vikunja.io/api
• CVE-2026-35600 — medium · Go/code.vikunja.io/api
• CVE-2026-35599 — medium · Go/code.vikunja.io/api
• CVE-2026-35598 — medium · Go/code.vikunja.io/api

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity