Is CVE-2026-28268 actively exploited?

CVE-2026-28268 has no public evidence of in-the-wild exploitation as of 2026-03-06.

What is the CVSS score for CVE-2026-28268?

CVE-2026-28268 has a CVSS score of 9.8 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

How do I patch CVE-2026-28268?

Patch guidance is available from vikunja security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-28268.

Fix CVE-2026-28268 - CRITICAL vikunja vikunja

Description

Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-459 CWE-640 CWE-640

Metadata

Primary Vendor: VIKUNJA
Published: 2/27/2026
Last Modified: 3/6/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-28268

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary