CVE-2026-33473: Vikunja has TOTP Reuse During Validity Window

March 20, 2026 (updated March 25, 2026)

Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window.

References

github.com/advisories/GHSA-p747-qc5p-773r
github.com/go-vikunja/vikunja
github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r
nvd.nist.gov/vuln/detail/CVE-2026-33473
vikunja.io/changelog/vikunja-v2.2.0-was-released
vikunja.io/changelog/vikunja-v2.2.2-was-released

Code Behaviors & Features

Detect and mitigate CVE-2026-33473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →