{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-29794", "tracking": { "current_release_date": "2026-03-25T18:13:45.094411Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-29794", "initial_release_date": "2026-03-20T18:34:06.319291Z", "revision_history": [ { "date": "2026-03-20T18:34:06.319291Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:34:10.569799Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-20T18:34:49.127234Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-20T18:34:51.831714Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:36:21.794855Z", "number": "5", "summary": "Unknown change." }, { "date": "2026-03-20T21:41:09.355684Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-03-20T21:41:14.199499Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-21T15:28:04.946969Z", "number": "8", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-21T15:28:07.386432Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:25:38.015435Z", "number": "10", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-24T21:25:47.396087Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:15.271749Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-25T18:13:16.786937Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:43.503782Z", "number": "14", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (4)." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.8|<2.2.0", "product": { "name": "vers:unknown/>=0.8|<2.2.0", "product_id": "CSAFPID-5907238" } } ], "category": "product_name", "name": "api" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.8|<2.2.0", "product": { "name": "vers:unknown/>=0.8|<2.2.0", "product_id": "CSAFPID-5875136" } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "go-vikunja" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0.8|<2.2.0", "product": { "name": "vers:unknown/>=0.8|<2.2.0", "product_id": "CSAFPID-5903082", "product_identification_helper": { "cpe": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "vikunja" } ], "category": "vendor", "name": "vikunja" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-29794", "cwe": { "id": "CWE-807", "name": "Reliance on Untrusted Inputs in a Security Decision" }, "notes": [ { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-29794" }, { "category": "description", "text": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/29xxx/CVE-2026-29794.json" }, { "category": "description", "text": "### Summary\nUnauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. \n\n### Details\nIn the first file below, the rate-limit for unauthenticated users can be observed being populated with the `ip` value. In the second file, it shows it using the `c.RealIP()` function for the `ip` case. Due to this, the rate-limit will rely on the value of one of the two mentioned headers (`X-Forwarded-For` or `X-Real-IP`). These can be spoofed by users client-side in order to completely bypass any unauthenticated rate-limits in place.\n\nSome reverse proxies like Traefik will overwrite this value by default, but others will not, leaving any deployment that either isn't using a reserve proxy that specifically overwrites the header's value or isn't using a reverse proxy vulnerable. \n\n**File 1:** pkg\\routes\\routes.go:318\n```go\n// This is the group with no auth\n\t// It is its own group to be able to rate limit this based on different heuristics\n\tn := a.Group(\"\")\n\tsetupRateLimit(n, \"ip\")\n\n\t// Docs\n\tn.GET(\"/docs.json\", apiv1.DocsJSON)\n\tn.GET(\"/docs\", apiv1.RedocUI)\n\n\t// Prometheus endpoint\n\tsetupMetrics(n)\n\n\t// Separate route for unauthenticated routes to enable rate limits for it\n\tur := a.Group(\"\")\n\trate := limiter.Rate{\n\t\tPeriod: 60 * time.Second,\n\t\tLimit: config.RateLimitNoAuthRoutesLimit.GetInt64(),\n\t}\n\trateLimiter := createRateLimiter(rate)\n\tur.Use(RateLimit(rateLimiter, \"ip\"))\n```\n**File 2:** pkg\\routes\\rate_limit.go:41\n```go\n// RateLimit is the rate limit middleware\nfunc RateLimit(rateLimiter *limiter.Limiter, rateLimitKind string) echo.MiddlewareFunc {\n\treturn func(next echo.HandlerFunc) echo.HandlerFunc {\n\t\treturn func(c *echo.Context) (err error) {\n\t\t\tvar rateLimitKey string\n\t\t\tswitch rateLimitKind {\n\t\t\tcase \"ip\":\n\t\t\t\trateLimitKey = c.RealIP()\n\t\t\tcase \"user\":\n\t\t\t\tauth, err := auth2.GetAuthFromClaims(c)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlog.Errorf(\"Error getting auth from jwt claims: %v\", err)\n\t\t\t\t}\n\t\t\t\trateLimitKey = \"user_\" + strconv.FormatInt(auth.GetID(), 10)\n\t\t\tdefault:\n\t\t\t\tlog.Errorf(\"Unknown rate limit kind configured: %s\", rateLimitKind)\n\t\t\t}\n```\n\n### PoC\n1. Download and run the default docker compose file via the instructions here: [https://vikunja.io/install/](https://vikunja.io/install/). Do not configure a proxy.\n2. Once running, navigate to the application in a web browser that is using a web proxy, such as Burp Suite.\n3. Attempt to authenticate to the application with an invalid username and password.\n4. In the web proxy's logs, locate the request to the `/api/v1/login` endpoint. Observe that the response contains rate-limit details:\n```http\nHTTP/1.1 403 Forbidden\nCache-Control: no-store\nContent-Type: application/json\nVary: Origin\nX-Ratelimit-Limit: 10\nX-Ratelimit-Remaining: 9\nX-Ratelimit-Reset: 1772224455\nDate: Fri, 27 Feb 2026 20:33:16 GMT\nContent-Length: 54\n\n{\"code\":1011,\"message\":\"Wrong username or password.\"}\n```\n5. Add the `X-Forwarded-For` header with an arbitrary value, like so: `X-Forwarded-For: FakeValue`. Send the request 10 times, or until the rate-limit is at zero.\n6. Modify the `X-Forwarded-For` headers value to be different, like so: `X-Forwarded-For: NewValue`.\n7. Observe that the `X-Ratelimit-Remaining` header's value has reset its countdown and is back at `9`. \n\n### Impact\nUnauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints.", "title": "github - https://api.github.com/advisories/GHSA-m547-hp4w-j6jx" }, { "category": "description", "text": "### Summary\nUnauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. \n\n### Details\nIn the first file below, the rate-limit for unauthenticated users can be observed being populated with the `ip` value. In the second file, it shows it using the `c.RealIP()` function for the `ip` case. Due to this, the rate-limit will rely on the value of one of the two mentioned headers (`X-Forwarded-For` or `X-Real-IP`). These can be spoofed by users client-side in order to completely bypass any unauthenticated rate-limits in place.\n\nSome reverse proxies like Traefik will overwrite this value by default, but others will not, leaving any deployment that either isn't using a reserve proxy that specifically overwrites the header's value or isn't using a reverse proxy vulnerable. \n\n**File 1:** pkg\\routes\\routes.go:318\n```go\n// This is the group with no auth\n\t// It is its own group to be able to rate limit this based on different heuristics\n\tn := a.Group(\"\")\n\tsetupRateLimit(n, \"ip\")\n\n\t// Docs\n\tn.GET(\"/docs.json\", apiv1.DocsJSON)\n\tn.GET(\"/docs\", apiv1.RedocUI)\n\n\t// Prometheus endpoint\n\tsetupMetrics(n)\n\n\t// Separate route for unauthenticated routes to enable rate limits for it\n\tur := a.Group(\"\")\n\trate := limiter.Rate{\n\t\tPeriod: 60 * time.Second,\n\t\tLimit: config.RateLimitNoAuthRoutesLimit.GetInt64(),\n\t}\n\trateLimiter := createRateLimiter(rate)\n\tur.Use(RateLimit(rateLimiter, \"ip\"))\n```\n**File 2:** pkg\\routes\\rate_limit.go:41\n```go\n// RateLimit is the rate limit middleware\nfunc RateLimit(rateLimiter *limiter.Limiter, rateLimitKind string) echo.MiddlewareFunc {\n\treturn func(next echo.HandlerFunc) echo.HandlerFunc {\n\t\treturn func(c *echo.Context) (err error) {\n\t\t\tvar rateLimitKey string\n\t\t\tswitch rateLimitKind {\n\t\t\tcase \"ip\":\n\t\t\t\trateLimitKey = c.RealIP()\n\t\t\tcase \"user\":\n\t\t\t\tauth, err := auth2.GetAuthFromClaims(c)\n\t\t\t\tif err != nil {\n\t\t\t\t\tlog.Errorf(\"Error getting auth from jwt claims: %v\", err)\n\t\t\t\t}\n\t\t\t\trateLimitKey = \"user_\" + strconv.FormatInt(auth.GetID(), 10)\n\t\t\tdefault:\n\t\t\t\tlog.Errorf(\"Unknown rate limit kind configured: %s\", rateLimitKind)\n\t\t\t}\n```\n\n### PoC\n1. Download and run the default docker compose file via the instructions here: [https://vikunja.io/install/](https://vikunja.io/install/). Do not configure a proxy.\n2. Once running, navigate to the application in a web browser that is using a web proxy, such as Burp Suite.\n3. Attempt to authenticate to the application with an invalid username and password.\n4. In the web proxy's logs, locate the request to the `/api/v1/login` endpoint. Observe that the response contains rate-limit details:\n```http\nHTTP/1.1 403 Forbidden\nCache-Control: no-store\nContent-Type: application/json\nVary: Origin\nX-Ratelimit-Limit: 10\nX-Ratelimit-Remaining: 9\nX-Ratelimit-Reset: 1772224455\nDate: Fri, 27 Feb 2026 20:33:16 GMT\nContent-Length: 54\n\n{\"code\":1011,\"message\":\"Wrong username or password.\"}\n```\n5. Add the `X-Forwarded-For` header with an arbitrary value, like so: `X-Forwarded-For: FakeValue`. Send the request 10 times, or until the rate-limit is at zero.\n6. Modify the `X-Forwarded-For` headers value to be different, like so: `X-Forwarded-For: NewValue`.\n7. Observe that the `X-Ratelimit-Remaining` header's value has reset its countdown and is back at `9`. \n\n### Impact\nUnauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-m547-hp4w-j6jx.json?alt=media" }, { "category": "description", "text": "Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: code.vikunja.io/api from v0.8.0 before v2.2.0.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4791.json?alt=media" }, { "category": "other", "text": "0.00062", "title": "EPSS" }, { "category": "other", "text": "3.7", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, The value of the most recent EPSS score, Exploit code publicly available, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5875136", "CSAFPID-5903082", "CSAFPID-5907238" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-29794" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/29xxx/CVE-2026-29794.json" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-m547-hp4w-j6jx" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-m547-hp4w-j6jx.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4791.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://github.com/go-vikunja/vikunja/commit/a498dd69915a006c07e9d82660a2185d7e8136ee" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29794" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-m547-hp4w-j6jx" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5875136", "CSAFPID-5903082", "CSAFPID-5907238" ] } ], "title": "CVE-2026-29794" } ] }