CVE-2026-35597: Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimited brute-force attempts against TOTP codes.
References
- github.com/advisories/GHSA-fgfv-pv97-6cmj
- github.com/go-vikunja/vikunja
- github.com/go-vikunja/vikunja/commit/6ca0151d02fa0e8c7e2181ab916a28e08caaaec8
- github.com/go-vikunja/vikunja/pull/2576
- github.com/go-vikunja/vikunja/releases/tag/v2.3.0
- github.com/go-vikunja/vikunja/security/advisories/GHSA-fgfv-pv97-6cmj
- nvd.nist.gov/vuln/detail/CVE-2026-35597
Code Behaviors & Features
Detect and mitigate CVE-2026-35597 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →