Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5b785e2cf4a5 · 2026-03-25T21:12:38.000Z
GHSA-94xm-jj8x-3cr4 GHSA-c2c7-rcm5-vvqj
diff --git a/advisories/github-reviewed/2026/03/GHSA-94xm-jj8x-3cr4/GHSA-94xm-jj8x-3cr4.json b/advisories/github-reviewed/2026/03/GHSA-94xm-jj8x-3cr4/GHSA-94xm-jj8x-3cr4.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-94xm-jj8x-3cr4",
+  "modified": "2026-03-25T21:10:05Z",
+  "published": "2026-03-25T21:10:05Z",
+  "aliases": [
+    "CVE-2026-33668"
+  ],
+  "summary": "Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect",
+  "details": "## Summary\n\nWhen a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing the API and syncing data.\n\n## Details\n\nUser status (`StatusDisabled`, `StatusAccountLocked`) is checked in only two places:\n\n1. **Local/LDAP login** (`pkg/routes/api/v1/login.go:74`) — prevents issuing new JWTs\n2. **JWT token refresh** (`pkg/routes/api/v1/login.go:247`) — prevents refreshing expired JWTs\n\nThree other authentication paths fetch the user from the database via `GetUserByID` but never inspect the returned user's status:\n\n### 1. API Token Authentication (`pkg/routes/api_tokens.go:76-103`)\n\nAPI tokens are long-lived (up to years) and have no refresh cycle. A disabled user's API tokens remain fully functional until they expire naturally.\n\n### 2. CalDAV Basic Auth (`pkg/routes/caldav/auth.go`)\n\nThe CalDAV basic auth handler validates credentials but does not check user status before granting access. A disabled user with valid credentials or a CalDAV token can continue syncing calendars and tasks.\n\n### 3. OpenID Connect Callback (`pkg/modules/auth/openid/openid.go`)\n\nThe OIDC callback issues a fresh JWT token after validating the identity provider's response but does not check whether the Vikunja user account is disabled. If the user's identity provider session is still active, they receive a valid JWT despite being disabled in Vikunja.\n\n## Impact\n\nAn administrator who disables a user account expects that user to be immediately locked out. In practice:\n\n- **API tokens**: The user retains full API access for the remaining lifetime of any issued API tokens — potentially months or years.\n- **CalDAV**: The user can continue reading and writing tasks/events via any CalDAV client.\n- **OIDC**: The user can obtain a fresh, fully valid JWT by re-authenticating through their identity provider, completely bypassing the account disable.\n\n## Proof of Concept\n\n1. Create a user and generate an API token.\n2. Disable the user account via the admin API or CLI.\n3. Make an API request using the API token:\n   ```bash\n   curl -H \"Authorization: Bearer tk_<token>\" https://vikunja.example/api/v1/user\n   ```\n4. The request succeeds with a 200 response despite the account being disabled.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "code.vikunja.io/api"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.18.0"
+            },
+            {
+              "fixed": "2.2.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-94xm-jj8x-3cr4"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33668"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vikunja/vikunja/commit/033922309f492996c928122fb49b691339199c35"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vikunja/vikunja/commit/04704e0fde4b027039cf583110cee7afe136fc1b"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vikunja/vikunja/commit/0b04768d830c80e9fde1b0962db1499cc652da0e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-vikunja/vikunja/commit/fd452b9cb6457fd4f9936527a14c359818f1cca7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/go-vikunja/vikunja"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T21:10:05Z",
+    "nvd_published_at": "2026-03-24T16:16:34Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-c2c7-rcm5-vvqj/GHSA-c2c7-rcm5-vvqj.json b/advisories/github-reviewed/2026/03/GHSA-c2c7-rcm5-vvqj/GHSA-c2c7-rcm5-vvqj.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c2c7-rcm5-vvqj",
+  "modified": "2026-03-25T21:12:07Z",
+  "published": "2026-03-25T21:12:07Z",
+  "aliases": [
+    "CVE-2026-33671"
+  ],
+  "summary": "Picomatch has a ReDoS vulnerability via extglob quantifiers",
+  "details": "### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "picomatch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.0.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "picomatch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0"
+            },
+            {
+              "fixed": "3.0.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "picomatch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/micromatch/picomatch"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1333"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T21:12:07Z",
+    "nvd_published_at": null
+  }
+}
