CVE-2026-29794

Published: Mar 20, 2026 Last Modified: Mar 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: low

Description

AI Translation Available

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.

807

Reliance on Untrusted Inputs in a Security Decision

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Availability Other

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Not Technology-Specific, Web Based, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/go-vikunja/vikunja/security/advisories/G…

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx

https://vikunja.io/changelog/vikunja-v2.2.0-was-released

CVE-2026-29794

Description

Reliance on Untrusted Inputs in a Security Decision

Common Consequences

Applicable Platforms

Iscriviti alla newsletter