Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-29794

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 22 hours ago

Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue.

References

https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx x_refsource_CONFIRM
https://vikunja.io/changelog/vikunja-v2.2.0-was-released x_refsource_MISC

Affected products

vikunja

==>= 0.8, < 2.2.0

Matching in nixpkgs

pkgs.vikunja

Todo-app to organize your life

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.1.0
nixos-25.11 2.1.0
- nixos-25.11-small 2.1.0
- nixpkgs-25.11-darwin 2.1.0

pkgs.vikunja-desktop

Desktop App of the Vikunja to-do list app

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.1.0

Package maintainers